Not only has it not carried out anything of note … yet … it has mainly been spread around India, Brazil, Mexico and Indonesia, which account for ~33% of the total infections. The US has about 5.5 million infected machines or 2.2% of the total. Fireball is an Adware product of a Chinese Digital Marketing agency called Rafotech. This has been discovered by security researchers at Check Point.

So how has it spread so widely and quietly?

Lets answer that by saying what it is first. It’s what is known as a browser high-jacker. It takes control of your browser (Chrome, Firefox, Safari, Internet Explorer or Edge) and directs any searches you make on the internet to go through Rafotech search engines rather than Google or Yahoo. They use other tracking technology (tracking pixels) to capture personal data about you. All of this generates advertising revenue for Rafotech as Fireball controls where your browser goes.

How it has spread was by being bundled with other software, which people have downloaded and installed. Fireball was included and installed without permission on the victim’s computer. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

What this means is that, at this time it is nothing more than a sneaky spy that is watching what you are browsing and re-directing your searches to it’s own search engines so it can generate advertising revenue for Rafotech. It could very easily be weaponised and have much more destructive malware execute without your permission on your machine.

How do I know if I’m infected?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? If the answer to any of these questions is “NO”, this is a sign that you’re infected with some type of adware.

How do I clean it up?

1. To remove almost any adware:

Follow these simple steps on Windows:

1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

For Mac OS users:

1. Use the Finder to locate the Applications
2. Drag the suspicious file to the Trash.
3. Empty the Trash.

Note – A usable program is not always installed on the machine and therefore may not be found on the program list.

2. Scan and clean your machine, using:

• Anti-Malware software
• Adware cleaner software

3. Remove malicious Add-ons, extensions or plug-ins from your browser:

On Google Chrome:
a. Click the Chrome menu icon and select Tools > Extensions.
b. Locate and select any suspicious Add-ons.
c. Click the trash can icon to delete.

On Internet Explorer:
a. Click the Setting icon and select Manage Add-ons.
b. Locate and remove any malicious Add-ons.

On Mozilla Firefox:
a. Click the Firefox menu icon and go to the Tools tab.
b. Select Add-ons > Extensions.
    A new window opens.
c. Remove any suspicious Add-ons.
d. Go to the Add-ons manager > Plugins.
e. Locate and disable any malicious plugins.

On Safari:
a. Make sure the browser is active.
b. Click the Safari tab and select preferences.
    A new window opens.
c. Select the Extensions tab.
d. Locate and uninstall any suspicious extensions.

4. Restore your internet browser to its default settings:

On Google Chrome:
a. Click the Chrome menu icon, and select Settings.
b. In the On startup section, click Set Pages.
c. Delete the malicious pages from the Startup pages list.
d. Find the Show Home button option and select Change.
e. In the Open this page field, delete the malicious search engine page.
f. In the Search section, select Manage search engines.
g. Select the malicious search engine page and remove from the list.

On Internet Explorer:
a. Select the Tools tab and then select Internet Options.
    A new window opens.
b. In the Advanced tab, select Reset.
c. Check the Delete personal settings box.
d. Click the Reset button.

On Mozilla Firefox:
a. Enable the browser Menu Bar by clicking the blank space near the page tabs.
b. Click the Help tab, and go to Troubleshooting information.
    A new window opens.
c. Select Reset Firefox.

On Safari:
a. Select the Safari tab and then select Preferences.
    A new window opens.
b. In the Privacy tab, the Manage Website Data… button.
    A new window opens.
c. Click the Remove All button.

The post Fireball – 1,000 times bigger than Wannacry. appeared first on L2 Cyber Security Solutions Ltd..

According to this, the concept of using malicious subtitle files to compromise a machine goes back to the early 2000’s. However that was not a very widespread phenomenon back in the day.

In this modern era, where every home probably has multiple media players, this could become a very serious problem, because you might not have the media player set to automatically update. In fact in some cases there is no automatic update facility available, only a message to suggest you update the software manually. This is the case with VLC and Kodi for Windows. As we say in our First Commandment, you should always keep your software up-to-date with patches and new versions.

You might ask what kind of impact could a malicious subtitle file really have. The researchers at Check Point posted their research into this attack vector and the following is what they said could happen:

By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

So, yes it is pretty serious alright. The researchers also discovered that it is possible to manipulate sites that host subtitles in order to make a malicious subtitle file more “popular” so the sick subtitles would be more likely to be chosen and loaded by the media player when the video is being played.

They have also provided a video to show, as a proof of concept, how easy it is to take control of the victim’s computer by way of malicious subtitles.

I realised after reading this story that I still have Kodi installed on my home PC, though I have not used it in a couple of years (as I use Plex to watch my media now). It was running version 14.1 whereas the current version is 17.3. So I’ve uninstalled it altogether now and also verified that my Plex installation is fully updated, as well as any installs of VLC. I gotta practice what I preach. 

The post Sick subtitles can infect your media player appeared first on L2 Cyber Security Solutions Ltd..

When I was a teenager, watching slasher flicks like A Nightmare on Elm Street (the original 1984 version) and Halloween, in order to look like a “tough guy” I developed a sort of movie watching buffer whereby when any startling occurrence happened (e.g. the scary guy leaps out of the shadows), I would simply sit there all cool-like while all around me leaped out of their seats. I would mentally take a moment to let the occurrence happen and then internally say “Yep! That thing that happens in every scary movie happened” and just continue watching. I just don’t react to the situation the instant it happens.

The post A Nightmare on Quadrooter Street. appeared first on L2 Cyber Security Solutions Ltd..