Dubbed Fireball, the malware was found by researchers at Check Point Security. The team said its purpose is to hijack web traffic to generate fraudulent ad revenue. It also includes remote control features for downloading more malware in the future.
Fireball has already infected over 250 million computers worldwide. When it embeds itself into a machine, it takes control of the web browsers and “turns them into zombies.” The browsers end up acting on Fireball’s behalf. While it’s currently relatively innocuous, focusing on installing plugins to increase ad distribution, Check Point warned it could easily be modified to be more sinister.
Because Fireball is so powerful, it can be expected it will soon be used as the basis of more serious attacks. It can execute any code it desires on the user’s machine, allowing it to steal files, spy on login activity and download additional malware. Although it’s currently seeing use only as a browser hijacker for money-making purposes, Check Point explained that the potential is there to do much more.
READ MORE: Google says Gmail now blocks over 99.9 percent of phishing emails
“How severe is it? Try to imagine a pesticide armed with a nuclear bomb,” the company said. “Yes, it can do the job, but it can also do much more.”
Fireball is created by a Chinese firm called Rafotech. It is believed it has managed to infect so many machines worldwide because it frequently comes bundled with other applications. Users inadvertently install the software by blindly clicking through prompts from other apps.
Check Point said that Rafotech “carefully walks along the edge of legitimacy.” The company purports to offer search and marketing services but many of its products appear to be fake or hijacking tools. In a curious coincidence, Rafotech’s website proudly advertises that it reaches “300 million users,” a similar feature to Fireball’s global reach.
According to Check Point, Rafotech has the capability to “initiate a global catastrophe.” If the company chose to use all of its software’s capabilities, it could extract data from over 250 million PCs worldwide.
Around 20% of the total Fireball installations are on corporate networks. It would be able to steal and sell sensitive documents, banking details and medical files. If it wanted, it could instruct Fireball to download ransomware utilities, allowing it to extort money from businesses around the globe.
Even if Rafotech itself remains content to settle in the grey area of shady bundled software, there are already many similar browser hijackers in existence. Check Point found that Beijing-based ELEX Technology produces a series of products that may be related to Fireball.
It is suspected that ELEX Technology and Rafotech are in some way related. Even if they’re not directly under the same leadership, they appear to be aiding each other’s distribution of browser hijacking utilities. This suggests there are at least two collaborators with potentially unhindered access to a quarter of a billion computers worldwide.
Check Point said Fireball represents a “great threat” to global cybersecurity and could be the largest infection campaign in history. While its current intentions don’t appear to be strongly malicious, there’s nothing stopping its creators from embarking on a very different campaign. The distribution also presents other risks – if external hackers obtained the software, they could republish it themselves and unlock all its capabilities.
