Chinese malware infects 250 million computers

Source: Check Point blog. How Fireball infects computers.

Check Point Threat Intelligence and research teams have discovered a Chinese threat operation which has already infected over 250 million computers worldwide, and 20% of corporate networks.

The Fireball malware comes with legitimate digital certificates and has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines. It hijacks and manipulates infected users’ web traffic to generate advertising revenue. Currently, Fireball installs plug-ins and additional configurations to boost advertisements, but it is extremely sophisticated and could just as easily distribute other malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and redirect search queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Check Point observes that Rafotech does not admit to producing browser-hijackers and fake search engines, but does say it reaches 300 million users worldwide – "coincidentally similar to our number of estimated infections", the Check Point research team stated in a blog post.

Key findings include:

- Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.

- India has the most infections at 25.3 million infections (10% of the total), while Indonesia has 13.1 million infections (5.2%).

"According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature," said the Check Point research team.

The news follows on from another widespread adware malware campaign uncovered by Check Point, one involving Android apps on Google Play dubbed "Judy". Judy malware is auto-clicking adware hidden within 41 apps developed by a single Korean company, Kiniwini. Kiniwini shows up on Google Play as "Enistudio corp.". The malware has reached over 18.5 million downloads, the security company said.

Interested?

Read the Check Point Software blog post about how Judy works

Find out more about how Fireball works, and how to remove it

posted from Bloggeroid