Security Alert
Jonathan Crowe
Jun 2017

Alert: Fireball Malware Has Infected 1 in 5 Corporate Networks

Photo by Thomas Hawk

A massive campaign of browser-hijacking malware has already infected more than 250 million computers worldwide.

Key Details

  • What's happening: Researchers at security firm Check Point have discovered a massive adware operation that's taken control of web browsers on more than 250 million computers — and can execute code on any of them.
  • What the malware does: Dubbed "Fireball," not only does the malware hijack victim browsers to generate ad revenue, it also enables remote code execution and can be used to harvest credentials or download additional malware.
  • How it's getting delivered: Fireball is currently being bundled up with free software programs and installing itself without the user's knowledge or consent.
  • Who's behind it: According to Check Point, Fireball is being operated by China-based digital marketing agency Rafotech (which denies any wrongdoing). 
  • What to do: Ask your users to make sure their homepages and search engines haven't been modified and that they don't have any extra or suspicious browser extensions running. If they do, take steps to uninstall them.
  • Barkly blocks Fireball:

    In order to block Fireball before it does any harm, make sure you have runtime malware defense (RMD) that can prevent it from hijacking your browser or doing anything else malicious (watch Barkly's RMD block Fireball automatically in the video below).

  • empty
  • empty

Keep your company safe from malware like Fireball automatically.
Learn how

Researchers at Check Point Software Technologies have uncovered what they're referring to as "possibly the largest infection operation in history" — a campaign of browser-hijacking malware called Fireball that has infected more than 250 million computers worldwide.

Adware with the potential for much more: What makes Fireball dangerous

Once installed, Fireball's primary purpose is to manipulate web-traffic to generate ad revenue. It currently does that by replacing victims' default search engines and home pages with fake ones, and by installing plugins and additional configurations to boost advertisements.

In addition to this standard adware functionality, however, Check Point researchers say Fireball also has the ability to run code on victim machines. That opens the door for further exploitation and maliciousness, including credential harvesting and downloading additional malware. It also makes the 250 million infected computers one giant potential botnet in the making. To put that number in perspective, Necurs, the notorious botnet behind the distribution of Locky ransomware, the Dridex banking trojan, and more recently Jaff ransomware, is estimated to be roughly 6 million hijacked machines. 

The scope of any spam campaigns or DDoS attacks leveraging these infected computers could be massive. 

250 million infections worldwide


Map of FIreball malware infections (darker pink = more infections) / Check Point

According to Check Point's analysis, not only has the malware infected over 250 million computers, it's also crept into 20 percent of corporate networks around the world.

India, Brazil, Mexico, and Indonesia are among the countries hardest hit, but infections have also been spotted on 5.5 million computers and slightly more than 10 percent of the corporate networks in the U.S.

Fireball infections in the U.S.

  • 5.5 million computers
  • 10 percent of corporate networks

How Fireball is spreading

Fireball has been tied to Beijing-based digital marketing agency Rafotech, which is purportedly using it to boost its ad revenue. The malware is typcially delivered by bundling it alongside other free software programs, so that it's downloaded without a user's knowledge or consent. 

The most common programs Fireball is being bundled with are freeware products such as Soso Desktop and FVP Imageviewer as well as two Rafotech products — Deal Wifi and Mustang Browser. 

Check Point argues these distribution methods are clearly suspect, pointing out not only does the malware and the fake search engines not carry indicators connecting them to Rafotech, they also conceal their true purpose and can't be uninstalled by an ordinary user. Researchers say the reason Rafotech has been able to carry them out is thanks to a "lack of clarity in the adware world's legality." 

Thanks to this gray area, many copies of Fireball actually have digital certificates that make the malware look legitimate and can help it bypass antivirus detection.   

How to protect your company from Fireball malware

In addition to using software restriction policies and advising employees not to download free software, deploying runtime malware defense can prevent Fireball from running, even if it has found its way onto an employee's computer. 

Even though Fireball is a new threat, Barkly's runtime malware defense blocks it automatically, without any updates necessary.

Wistia video thumbnail - Barkly-vs-Fireball-malware

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?



Removing adware

If you suspect your computer has been infected with adware you may be able to simply remove it by locating and uninstalling it using the Programs and Features list in the Windows Control Panel or the Applications folder on a Mac. 

In some cases, you may need anti-malware or adware cleaner software to conduct a more thorough system scan and cleaning. 

You should also check for any unauthorized or suspicious browser extentions and plug-ins and make sure your homepage and search engine are the ones that you set. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.