Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese 'Fireball' Malware Infects Nearly 250 Million Computers Worldwide (thehackernews.com)

Posted by BeauHD on from the cinnamon-whisky dept.

Check Point researchers have discovered a massive malware campaign, dubbed Fireball, that has already infected more than 250 million computers across the world, including Windows and Mac OS. The Fireball malware "is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data," reports The Hacker News. From the report: Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). "It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time," researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."

66 comments

  1. So, uhhh by Snotnose · · Score: 1

    How do I find out if I'm infuckted? File to look for? Program I can download and run to say yay/nea?

    1. Re:So, uhhh by hcs_$reboot · · Score: 5, Funny

      You should see an icon (bottom left) click on it, and click "About". If you see "wIndows" anywhere, you're infected.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:So, uhhh by AHuxley · · Score: 1

      Malwarebytes. If on Mac or Windows its aways good to have some AV.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:So, uhhh by __aadota8673 · · Score: 1

      I am responsible for security at an unnamed 3 letter government agency. I make sure patches are applied to 80k laptop and desktop windows workstations, and I can tell you Malwarebytes is not a realistic way to defend against something like this. Back in my days as a video game white-hat tester I wrote a python script. After much refactoring, it now logs in to every box through a client listener socket I have open on each workstation, and checks to make sure everything is patched. This is the only realistic way to manage security - not an afterthought like AV. If you're patched up to the latest, you're not getting infected - Windows, Mac or Linux is irrelevant to the conversation.

    4. Re: So, uhhh by hunter44102 · · Score: 3, Informative

      Did you read the article? This will indeed install on your patched systems because it comes as a payload with freeware software that the users install. So Malwarebytes is exactly what is needed to find and remove it.

    5. Re:So, uhhh by CaptainDork · · Score: 1

      Kwit it.

      Yer Killin' me lol

      --
      It little behooves the best of us to comment on the rest of us.
    6. Re: So, uhhh by __aadota8673 · · Score: 0

      Format c: will also install on my patched system. The python script fixes broken computers, not broken users. My rich uncle (think $1mil+) is 70 years old and has been working 16 hour days all his life to save up for a 250k tractor (farmer). If he steers into a wall it's not the fault of John Deer software.

    7. Re:So, uhhh by Anonymous Coward · · Score: 0

      I'm sorry you're suffering from AIDS-related dementia, but this malware affects mac and windows.

    8. Re:So, uhhh by Anonymous Coward · · Score: 0

      ...If you're patched up to the latest, you're not getting infected - Windows, Mac or Linux is irrelevant to the conversation.

      It's 2017 and you can't fathom the concept of a zero-day attack.

      I truly have no words for your amount of ignorance.

    9. Re: So, uhhh by Anonymous Coward · · Score: 0

      I fuckin love u

    10. Re:So, uhhh by mreed911 · · Score: 3, Funny

      "Back in my days as a video game white-hat tester I wrote a python script. After much refactoring, it now logs in to every box through a client listener socket I have open on each workstation, and checks to make sure everything is patched." So you have homegrown python code listening on a custom socket and that has the ability to do administrative things on the computer? I see... tell me more about this setup, please... in the interest of "science."

    11. Re:So, uhhh by dbIII · · Score: 1

      listening on a custom socket and that has the ability to do administrative things on the computer

      MS Windows is like that :(
      MS Windows security is like a starlet's underwear. If it's there at all it doesn't cover much and is just there for decoration.
      You need third party tools (which do administrative things on the computer that in an ideal world only MS supplied tools could do) to fill up the gaps. So the above poster probably wrote something that acted like third party antivirus for specific situations - impressive but not impossible for a lone coder.

    12. Re:So, uhhh by Zontar+The+Mindless · · Score: 1

      I am responsible for security at an unnamed 3 letter government agency.

      D. M. V.

      What do I win?

      If you're patched up to the latest, you're not getting infected - Windows, Mac or Linux is irrelevant to the conversation.

      You're simply priceless. Please keep posting, and I'll keep wiping coffee from my keyboard.

      --
      Il n'y a pas de Planet B.
    13. Re:So, uhhh by phantomfive · · Score: 2

      If you're patched up to the latest, you're not getting infected

      This is absolutely not true. A zero-day is by definition a vulnerability that is not yet known to the software vendor, so no patch can exist, and yet hackers can know about it.

      We've actually seen examples where Microsoft hasn't patched security flaws, and the flaw was being exploited by hackers. Here is one example, there are plenty.

      --
      "First they came for the slanderers and i said nothing."
    14. Re: So, uhhh by Anonymous Coward · · Score: 0

      it doesnt use zero day exploit.

      it isnt even diffent from adobe

    15. Re: So, uhhh by __aadota8673 · · Score: 0

      Thanks bebbe. I love u2. Let's fuck.

    16. Re:So, uhhh by 110010001000 · · Score: 1

      You are responsible for security at a 3 letter government agency and you earn $50,000 in Silicon Valley?

    17. Re:So, uhhh by MoarSauce123 · · Score: 1

      Won't help you with zero days...but I guess your three letter agency has a broad catalog of zero days that are intentionally not shared with vendors.

    18. Re: So, uhhh by Brockmire · · Score: 1

      Why is this funny? There's no "About" in the start menu. Exactly 0 would be infected. You guys have extremely low bars for funny.

    19. Re:So, uhhh by __aadota8673 · · Score: 0

      Correct. What's your point besides proving asshats can summarize 3 lines of text into 1 line of text?

    20. Re:So, uhhh by __aadota8673 · · Score: 0

      That's right asshat. All things that talk over a network listen on a socket. I learned that in my networking class while getting my associate's degree. My grades were all As, and I made the dean's list. What's your point - I should have written a remote management script without using sockets? Maybe an illegal Mexican guy working for $2/hr who walks around with a USB stick? Let's call him Jesus. We could then close up that glaring security hole called IP protocol as well - I hear many viruses spread over IP protocol and HTML. I already don't use HTML though.

    21. Re:So, uhhh by LostMyBeaver · · Score: 1

      A socket is a means of communicating between processes (and the kernel) in UNIX. Berkeley implemented a sockets API for network communications as part of BSD and called it Berkeley sockets and later, a similar API called WinSock was implemented to provide a similar platform of communications on Windows, though it wasn't technically a socket.

      There are hundreds (probably thousands) of operating systems which don't use sockets for communications as the API is often overkill for small applications. Instead, they'll use the native APIs of systems like LWIP or uIP or similar. There may even be more systems on the planet today communicating via IP and the Internet without using sockets. But of course, a small and limited example of a system like this is the EU's network for mobile phone signal monitoring which at last count had 4 million + sensors.. all running without sockets. Or another I know of which is the Norwegian weather sensor network which I believe currently has close to 5 million + sensors, mostly without sockets.

      But I guess you're the expert :)

    22. Re:So, uhhh by LostMyBeaver · · Score: 1

      Oh, I'm about to roll over and die here. This is just brilliant, I wanted to see what you were responding to and I clicked back one... it was beautiful. I've actually made a bookmark to this one as it's going down in history as one of my favorite examples of how pathetic people "responsible for security" on government networks are.

      Did you even read what mreed911 wrote? If so, did you understand it?

      I love this!!! Criemer, you're absolutely brilliant. I think you might be my favorite new comedian... and you don't even get the joke!!!

      I'll stop typing now. Kicking the slow guy even if he's mean is still kicking the slow guy which is wrong.

    23. Re:So, uhhh by Anonymous Coward · · Score: 0

      This is a conversation about patching for malware that infects a Windows system. If you don't realize system in the scope of this article does not mean a mobile signal monitor sensor, you do not belong in a conversation between people.

      Let's talk about the weather:
      ME: I hate flying out of Chicago due to the lake - wind and rain makes flights late

      YOU: You're an idiot. An ICBM can be launched in heavy wind from Arizona.

      I'm going to guess you're pretty damn ugly and a reject, so you don't have experience conversing with people. I on the other hand am an orangutan who has actual IT experience to know what a system means in this context. I'm also going to guess you're really, really slow and confused, and a newcomer to slashdot. For other reasons.

    24. Re:So, uhhh by LostMyBeaver · · Score: 2

      We all know you started as a video game tester. 95% of your posts mention your entire history, high school grades included.

      You still didn't get the joke either. Mreed911 said something pretty much any competent IT guy would find hilarious and you either didn't read it or didn't get it.

      People might stop attacking you and stop teasing you if you stopped calling everyone names (about 70% of your posts, 50% when you specifically initiate aggression). They might respect you more if you don't self-aggrandize with your resume which on slashdot, isn't particularly impressive. Or if, knowing we all have a general assessment of your skills and experience, stopped making comments about how you would take it upon yourself to engineer things like dynamos for running shoes if you had the time when it would things like expertise in mechanical engineering, miniaturization, polymers, ohh... and running shoe engineering which I assume are all outside of your skill-set with the possible exception of mechanical engineering on a hobbyist scale.

      Over the past five years, I've slowly learned that pointing out problems without attempting to offer a meaningful solution is a waste of time. If you don't have an answer or something meaningful to contribute, making the comment in the first place simply makes people hate you. So, in an effort to get people to hate me less, I've been trying to change myself.

      You mention a triple whammy. 47 + 350lb and 50k income. Based on this description, one would generally assess that you're screwed. Age, you're still young. 50 is the new 40. You have time to work with. I never hit 350lbs, so I can't possibly understand or even relate to your situation, but a few years back, I made it up to 200lbs (my comfort weight it 165). When I went to the store and smiled at the girl and she responded by telling me I would have to start shopping at places which specialize in "big boys". I realized I was old enough that she thought of me as her father and I was fat. 4 months later, I went back weighing in at 163 with a 31" waist line. During the time since then I've learned a great deal about humans in a meaningful way.

      Men ... especially IT guys have really short attention spans. If we can't solve the problem quickly... while we're on a roll, we lose interest.
      We tend to set goals for ourselves which are somewhat unrealistic and hope that we make it through before losing interest and hope no one notices when we give up and we spend a lot of energy coming up with great excuses for why it's ok we gave up.
      It's generally all about momentum, we think all problems have to be solved the way we send rockets to the moon. Stick enough fuel into the first stage of the rocket and break free of earth's atmosphere and all we'll need is some course correction to get there. The bitch of it is, most problems don't have a point where we can break free of gravity and friction.

      Another thing I learned about when I was younger was poverty.

      You've heard people make the comment "If he's so poor, how come he always seems to have enough money for food... fat ass"?

      Obesity is inversely correlated to income bracket for a reason. The poorer you are the fatter you tend to become. An IT guy with IT guy interests generally tends to prioritize toys over food and as a result a $50k income can be equal a a $20k + welfare/foodstamps income. The only difference being that with some financial planning/responsibility, $50k can actually make ends meet... barely.

      How does this matter? That's easy, you and I were among the last people in America to take Home Economics in high school and what's worse is that we both were of a generation where mommy going back to work was something cute and short-term. We didn't take the class seriously. We never learned the important things about managing a household. In addition, I know I've never vacuumed under the couch in my life. I suck at it.

      Important things about managing a house.
      1) Plan your meals
      2) Meal pl

    25. Re:So, uhhh by Anonymous Coward · · Score: 0

      Wow, thanks for caring enough to say something.

    26. Re:So, uhhh by Anonymous Coward · · Score: 0

      Before you wrote a book you should have confirmed that it was just a joke account.

  2. Yet another reason to surf in VMs by JoeyRox · · Score: 3, Informative

    Congratulations on compromising my Virtual Machine. I will one-click delete you now.

    1. Re:Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      what if all your stuff is in your VM?

    2. Re:Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      what if all your stuff is in your VM?

      Normal people would just restore it, if they are not as stupid as you are. Duh ... what happens if the sun just exploded and we just don't know it yet? What then? Duhhhhh.....

    3. Re: Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      Lol then ur new VM gets compromised just as easily

      IDIOT

      maybe consider not being a goddamn moron and start thinking about not leaving the same attack surface every goddamn time

    4. Re: Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      Wrf? Isn't it just easier to get rid of javascript once and for all? The reason why interest is still aa alow as in the 90s and why web browsers do so many opaque things in the background.

    5. Re: Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      You don't know how VMs work, do you.

    6. Re: Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      Why would restoring a VM do ANYTHING to secure it?

      If, for example, this malware simply flooded the user with pop-ups or similar, a restore will do nothing to stop that.

      Worse, it could be using a zero-day that escapes VMs.
      There was one discovered recently that could using 3 chained exploits .
      VM-escapes are vastly harder to do, but they are NOT impossible.

    7. Re:Yet another reason to surf in VMs by Anonymous Coward · · Score: 0

      It has been stated on Slashdot linked story recently, @ Pwn2Own 2017 they root and install malware on the host through javascript called through a browser on the VM. So then what?

  3. MacOS target by manu0601 · · Score: 2, Informative

    Hacker News's story notes MacOS is a target, but that information cannot be found in Checkpoint blog.

    The infection involves installation of plugins from Chrome. Is that native code? If it is the case, it is unlikely that multiple targets are maintained, as it costs money

    1. Re:MacOS target by gravewax · · Score: 2

      Considering checkpoint has instructions at the bottom of the article for uninstall from MacOS and they state clearly it has multiple packaging methods I would say you simply didn't actually read the checkpoint report.

    2. Re:MacOS target by manu0601 · · Score: 1

      Well I used the search feature of my browser for the "mac" word and did not find it in the article. Weird.

    3. Re:MacOS target by DontBeAMoran · · Score: 1

      My question is, can a website install a plugin in Chrome without our authorization?

      --
      #DeleteFacebook
    4. Re:MacOS target by Anonymous Coward · · Score: 0

      Well I used the search feature of my browser for the "mac" word and did not find it in the article. Weird.

      If you're using Safari, then this is normal.. Safari has shitty in-page search.. and I mean really shitty!

  4. Digital marketing and game apps... by Narcocide · · Score: 1

    ... to 300 million unaware, unwilling customers? Brilliant! Maybe this explains why my resume seems so lackluster.

  5. Fireball comes bundled with other free software by Anonymous Coward · · Score: 0

    So, it spreads by naive users installing sketchy software. Will people never learn?

    1. Re:Fireball comes bundled with other free software by Anonymous Coward · · Score: 0

      At this point, I think it's safe to assume they won't. They've had 3+ decades to learn, and they have not. Somehow I don't think they will suddenly start now.

      That is also why curated devices are taking over. That alleviates people of the responsibility to consider what they are doing. Someone else will consider it for them. Not always to their benefit, but that's a separate problem.

  6. Re: Time for the EU to put sanctions on China by Narcocide · · Score: 4, Insightful

    No, dude. The criminals have their own astro-turfing moderators. If you registered you'd know everyone gets to moderate. The moderation used to overall still reflect the will of the community because even the assholes were still acting in good faith.

  7. Re: Time for the EU to put sanctions on China by hcs_$reboot · · Score: 1

    And regarding criminal activities against the planet?

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  8. Old news? by Altrag · · Score: 5, Informative

    Sounds like its just Banzai Buddy 2.0..

    Unless there's something TFA is glossing over, it sounds like fairly standard adware.. they even state that it safely goes away when you uninstall the offending container software, making it actually less obnoxious than Banzai Buddy and his friends from a decade ago.

    1. Re:Old news? by dbIII · · Score: 1

      Minor nitpick (especially minor since a google search would now sort out the spelling mistake), but it was Bonzi Buddy.
      It was incredibly annoying. I'd had to go back to doing support every now and again, had a user complain about a very slow PC, found that piece of shit malware on it, deleted it, and then had to explain to that user's manager why I had made the user angry by removing the user's "friend".

    2. Re:Old news? by Altrag · · Score: 1

      Hah! Thanks, I knew that didn't look right but close enough that I didn't bother double-checking ;).

    3. Re:Old news? by Anonymous Coward · · Score: 0

      that grape gorilla was awesome. spyware and malware are so focused on fucking your shit up these days, it was so much better back then.

    4. Re:Old news? by AmiMoJo · · Score: 1

      Also, why is it "Chinese" malware? Malware made by Americans isn't usually referred to as "American malware". That designation is reserved for US government malware.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. Calm down by TheOuterLinux · · Score: 5, Interesting

    Fireball is literally no different then the ad-based crap Window$ pushes. It's not harmful on its own but can be used maliciously. Though, I doubt anyone really read the source. Fireball is a Chinese thing. Do you get your freemium software from Chinese websites? If you are a Slashdotter, then hopeful not, or your a sadomasochist/complete moron. This is nothing more than a clever scare brought on by Micro$oft to get people on the M$ store bandwagon. Just learn to use FOSS applications. I know it's unjustifiably painful for whatever reason for Window$ users to not pay for things that are developed by hundreds of collaborators with source code to look at, but it won't actually hurt you.

    1. Re:Calm down by ArylAkamov · · Score: 1

      Do you get your freemium software from Chinese websites? If you are a Slashdotter, then hopeful not, or your a sadomasochist/complete moron.

      But some of us get enjoyment out of breaking Windows as much as possible before a reformat or HDD change.

    2. Re:Calm down by Anonymous Coward · · Score: 0

      And MacOS. Read the article.

    3. Re:Calm down by TheOuterLinux · · Score: 1

      I did that part, but I own a Mac and adware doesn't work all that well. Some free VPN's use adware when launching a web browser, but that's what NoScript's for and your default browser shouldn't be Safari anyway. On top of which, by default, the current MacOS system prevents the launch of software from unknown developers, as well as checks the integrity DMGs and applications at opening. I'll say it again, use FOSS if you're not going to use your system's store. If you get adware as a Mac user, you just an idiot.

    4. Re:Calm down by TheOuterLinux · · Score: 1

      Sounds like instant gratification to me.

    5. Re:Calm down by Anonymous Coward · · Score: 0

      considering it isn't a MS only attack I would say you are a fucking moron.

  10. Re:Time for the EU to put sanctions on China by AHuxley · · Score: 2

    The Communist party has a few fears. That MI6, the CIA, NSA, GCHQ have set up secure communications networks with dissident groups in China.
    The only way China can be sure is to test every connection into and out of China from both directions. The network activity often seen is just the seeking of a network origin. Is it a VPN, encrypted, how does the server respond. Its the only way China can really understand what someone connected to from China. A constant real time mapping of the internet to find encryption efforts to/from China.

    --
    Domestic spying is now "Benign Information Gathering"
  11. Control the victim's browser? by Anonymous Coward · · Score: 0

    > an adware package that takes complete control of victim's web browsers and turns them into zombies

    Oh, you mean like any modern browser is doing anyway?

  12. Exaggerated and dramatized by Anonymous Coward · · Score: 0

    to build negative sentiments against China. This is no different than the stuff you are asked to install along with Adobe Flash, or any other browser-gimmick you get these days. The fact that it _could_ contain some attack vector, doesn't imply malicious intent.

    With this reasoning, Adobe, Intel, AMD, etc. are also running "malware campaigns". Let's instead focus on the REAL malware and spyware campaigns run by the American's NSA and CIA, that's where the blame and anger should be focused.

  13. Follow the money by Stan92057 · · Score: 1

    Ive said it a thousand times the only way this ends is to go after the money, The people who pay for the adverting.Affiliates have to get paid somehow and the product seller knows who they are.so records are kept and codes so affiliates"scumbag spammers. Then you actually need to go after these guys maybe if the NSA ,FBI,CIA scumbags stopped spying/data mining on regular people living their lives and go after these scumbags that would work too.

    --
    Jack of all trades,master of none
  14. Next steps by Anonymous Coward · · Score: 0

    Your computer may be damaged by Fireball; roll a saving throw.

  15. EZ 2 STOP via hosts files C&C server blocks by Anonymous Coward · · Score: 0

    0.0.0.0 attirerpage.com
    0.0.0.0 s2s.rafotech.com
    0.0.0.0 rafotech.com
    0.0.0.0 trotux.com
    0.0.0.0 startpageing123.com
    0.0.0.0 funcionapage.com
    0.0.0.0 universalsearches.com
    0.0.0.0 thewebanswers.com
    0.0.0.0 nicesearches.com
    0.0.0.0 youndoo.com
    0.0.0.0 giqepofa.com
    0.0.0.0 mustang-browser.com
    0.0.0.0 forestbrowser.com
    0.0.0.0 luckysearch123.com
    0.0.0.0 ooxxsearch.com
    0.0.0.0 search2000s.com
    0.0.0.0 walasearch.com
    0.0.0.0 hohosearch.com
    0.0.0.0 yessearches.com
    0.0.0.0 d3l4qa0kmel7is.cloudfront.net
    0.0.0.0 d5ou3dytze6uf.cloudfront.net
    0.0.0.0 d1vh0xkmncek4z.cloudfront.net
    0.0.0.0 d26r15y2ken1t9.cloudfront.net
    0.0.0.0 d11eq81k50lwgi.cloudfront.net
    0.0.0.0 ddyv8sl7ewq1w.cloudfront.net
    0.0.0.0 d3i1asoswufp5k.cloudfront.net
    0.0.0.0 dc44qjwal3p07.cloudfront.net
    0.0.0.0 dv2m1uumnsgtu.cloudfront.net
    0.0.0.0 d1mxvenloqrqmu.cloudfront.net
    0.0.0.0 dfrs12kz9qye2.cloudfront.net
    0.0.0.0 dgkytklfjrqkb.cloudfront.net
    0.0.0.0 dgkytklfjrqkb.cloudfront.net
    0.0.0.0 cloudfront.net

    Best protection vs. it = http://www.bing.com/search?q=%22apk+hosts+file+engine%22&qs=n&form=QBLH&sp=-1&pq=%22&sc=0-1&sk=&cvid=4FBA3B8840D04736BD1E99BB65304206/

    APK