Microsoft has cast doubt on Check Point’s claims that Fireball has a hold in one in five corporate networks.
Microsoft has cast doubt on the Fireball campaign, believed to be a serious threat to consumers and the enterprise alike.
According to Windows Defender researcher Hamish O’Dea, the recent reports relating to the Fireball cybercriminal campaign may have been “overblown.”
A recent Check Point research paper claimed Rafotech, a large digital marketing agency based in Beijing, runs the Fireball scheme, which represents a “great threat to the global cyber ecosystem with 250 million infected machines and a grip in one of every five corporate networks.”
Check Point claims that 20 percent of all corporate networks are in some way impacted by Fireball, with most infections taking place in the US, China, Indonesia, India, and Brazil.
Microsoft has been tracking Fireball since 2015 and says that while the threat’s tactics have evolved over time, an initial tactic used to infect vulnerable systems through software bundling is still in play.
The Fireball malware is installed with programs that users download through their Internet browser, and is most commonly associated with cracks, keygens, and pirated content such as games, music, and applications.
When downloaded, there will often be clean programs as part of the bundle. However, these clean programs host processes which can then be utilized to load malicious code, in a manner Microsoft says is “an attempt to evade behavior-based detection.”
Over the last three years, the Redmond giant has watched the Fireball threat actors focus on persistence, monetization through advertising, and hijacking browser search and home page settings on infected machines.
Prevalance of Fireball infections across the world.
The most common malware tools bundled into Fireball are BrowserModifier:Win32/SupTab and BrowserModifier:Win32/Sasquor.
Once a dodgy software bundle has been installed on to a system, Fireball’s initial payload will hijack browser home pages and default home settings, either by modifying settings directly or creating new shortcuts to launch legitimate browsers.
If a user then conducts searches through the malware operator’s engine, they receive income from ad impressions.
Fireball also makes use of settings changes and plugins to boost ad revenue, uses tracking pixels to collect private information, and is able to drop more malware payloads onto infected systems.
Microsoft says that when Check Point researched the size of the Fireball problem, infection vectors, and severity, the company based their findings on the number of visits to the malware’s search pages, rather than the collection of endpoint data.
As a result, the results may not be valid, as not every PC which visits these pages is infected, and estimates were based on Alexa ranking data and normal search habit rather than traffic commonly produced by malware infections.
Taking a look at 300 million Windows Defender AV clients in use since 2015, Microsoft says that the graphs shown below may represent a more concise representation of Fireballs’ scale.
The spike in October 2016 occurred when the SupTab family was added to MSRT.
Microsoft says that the company’s security team has not seen “any changes on Fireball’s strategy” in recent times.
“Fireball’s infection chain includes malware and software bundlers silently installing other applications,” O’Dea says. “You need security solutions that detect and remove all components of this type of infection.”
Bundles containing crapware, spyware and malicious files are not uncommon, but if you have either Window’s homegrown Defender Antivirus or a third-party option including AVG, Kaspersky Antivirus, and Bitdefender, these systems will detect and remove Fireball before your system is compromised.