• "Fireball" Malware Contains Digital Certificates

    Home » Forums » Newsletter and Homepage topics » "Fireball" Malware Contains Digital Certificates


    Check Point Threat Intelligence Research Team have discovered a “high volume Chinese threat operation”, in the form of Fireball. The scope of this mal[See the full post at: “Fireball” Malware Contains Digital Certificates]

    Link to the Code Red topic:
    “Fireball” Malware – a Browser Hijacker / Malware Downloader

    3 users thanked author for this post.
    Viewing 3 reply threads
    • #119260

      So, according to Check Point, it only infects machines that had rigged freeware installed, right?

      This malware can’t spread via any other way? I mean, the claimed numbers are incredibly high… It’s hard for me to believe in a threat based on social engineering working this well… I mean, it shouldn’t be hard to believe, I just don’t want to believe I guess…

      But anyway, if I’m not installing freeware, well, not installing anything new in over a year, I should be safe against this one, right?

      • #119277

        From the linked Check Point article (Code Red topic):

        Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.


        To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

        If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious.

        3 users thanked author for this post.
        • #119281

          Is there software confirmed to detect Fireball infections at the current moment?

          • #119290

            I haven’t seen any mentioned so far.
            The quoted “How Can I Know If I Am Affected” is sensible advice. If it appears that a computer is infected, the full instructions on Check Point’s blog discuss uninstalling adware and malicious browser add-ons, resetting the browser settings, and running anti-malware/adware cleaner scans.

            1 user thanked author for this post.
    • #119272

      Any list of what specific freeware is carrying this malware?

      • #119278

        I don’t believe there is a specific narrow list of affected downloads.

        From the linked Check Point article (Code Red topic):

        As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others.

        3 users thanked author for this post.
        • #119280

          But it is somewhat recent, right?

          I mean, if one does not install anything new in a while, it is unlikely to get hit, is that correct?

          • #119288

            Checkpoint advise they have recently discovered the threat. I haven’t seen anything to indicate how long they suspect it has been active, sorry.

            It is interesting to see how widespread the infections are, and that may indicate it isn’t extremely recent (it wouldn’t appear likely, presumably).

            According to our analysis, over 250 million computers worldwide have been infected: specifically, 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has witnessed 5.5 million infections (2.2%)…
            Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.


            In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies.

            The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.

            2 users thanked author for this post.
    • #119628

      This is why corporations should be using HOSTS files and utilizing applications like Spybot Search & Destroy and Teatimer.

    • #120072

      What digital certificates does this contain? Self signed? Stolen/tampered? Purchased the normal way? What do they do with them? Hijack/inject all https?

      • #120105

        From blog.checkpoint.com (linked on Code Red topic):

        So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers.

    Viewing 3 reply threads
    Reply To: "Fireball" Malware Contains Digital Certificates

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: