Fireball – 1,000 times bigger than Wannacry.

Fireball malwareHave you seen the news reports and headlines about Fireball? No? That’s odd. 250 million PCs are infested with it. That’s a thousand times more machines around the world than WannaCry (you do remember WannaCry don’t you, or was it sooo two weeks ago 😏). So you would think the news organisations would be all over it. Of course, it’s not doing anything much to it’s victim PCs … at this point … but that could easily change. So nothing really to report on, is there.

Not only has it not carried out anything of note … yet … it has mainly been spread around India, Brazil, Mexico and Indonesia, which account for ~33% of the total infections. The US has about 5.5 million infected machines or 2.2% of the total. Fireball is an Adware product of a Chinese Digital Marketing agency called Rafotech. This has been discovered by security researchers at Check Point.

So how has it spread so widely and quietly?

Lets answer that by saying what it is first. It’s what is known as a browser high-jacker. It takes control of your browser (Chrome, Firefox, Safari, Internet Explorer or Edge) and directs any searches you make on the internet to go through Rafotech search engines rather than Google or Yahoo. They use other tracking technology (tracking pixels) to capture personal data about you. All of this generates advertising revenue for Rafotech as Fireball controls where your browser goes.

How it has spread was by being bundled with other software, which people have downloaded and installed. Fireball was included and installed without permission on the victim’s computer. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

What this means is that, at this time it is nothing more than a sneaky spy that is watching what you are browsing and re-directing your searches to it’s own search engines so it can generate advertising revenue for Rafotech. It could very easily be weaponised and have much more destructive malware execute without your permission on your machine.

How do I know if I’m infected?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? If the answer to any of these questions is “NO”, this is a sign that you’re infected with some type of adware.

How do I clean it up?

1. To remove almost any adware:

Follow these simple steps on Windows:

1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

For Mac OS users:

  1. Use the Finder to locate the Applications
  2. Drag the suspicious file to the Trash.
  3. Empty the Trash.

Note – A usable program is not always installed on the machine and therefore may not be found on the program list.


2. Scan and clean your machine, using:

  • Anti-Malware software
  • Adware cleaner software

3. Remove malicious Add-ons, extensions or plug-ins from your browser:

On Google Chrome:
a. Click the Chrome menu icon and select Tools > Extensions.
b. Locate and select any suspicious Add-ons.
c. Click the trash can icon to delete.

On Internet Explorer:
a. Click the Setting icon and select Manage Add-ons.
b. Locate and remove any malicious Add-ons.

On Mozilla Firefox:
a. Click the Firefox menu icon and go to the Tools tab.
b. Select Add-ons > Extensions.
    A new window opens.
c. Remove any suspicious Add-ons.
d. Go to the Add-ons manager > Plugins.
e. Locate and disable any malicious plugins.

On Safari:
a. Make sure the browser is active.
b. Click the Safari tab and select preferences.
    A new window opens.
c. Select the Extensions tab.
d. Locate and uninstall any suspicious extensions.


4. Restore your internet browser to its default settings:

On Google Chrome:
a. Click the Chrome menu icon, and select Settings.
b. In the On startup section, click Set Pages.
c. Delete the malicious pages from the Startup pages list.
d. Find the Show Home button option and select Change.
e. In the Open this page field, delete the malicious search engine page.
f. In the Search section, select Manage search engines.
g. Select the malicious search engine page and remove from the list.

On Internet Explorer:
a. Select the Tools tab and then select Internet Options.
    A new window opens.
b. In the Advanced tab, select Reset.
c. Check the Delete personal settings box.
d. Click the Reset button.

On Mozilla Firefox:
a. Enable the browser Menu Bar by clicking the blank space near the page tabs.
b. Click the Help tab, and go to Troubleshooting information.
    A new window opens.
c. Select Reset Firefox.

On Safari:
a. Select the Safari tab and then select Preferences.
    A new window opens.
b. In the Privacy tab, the Manage Website Data… button.
    A new window opens.
c. Click the Remove All button.