HKCERT is aware that a security vendor has published a research on a Fireball marketing adware, claimed to has infected over 250 million computers worldwide. According to news report, 8.7% of HK corporate networks has at least 1 infected machine in their network.

Means of distribution and impacts

From the research by Check Point, it was found that the malware was distributed by a mainland China marketing company by bundling it in some free software. Users may have installed Fireball when installing those free software without being notified. Once installed, Fireball will hijack browser to change the homepage and redirect to fake search engine.

The research speculated that Fireball has the ability to become malware downloader which could result in the risk of stealing credentials, execute malicious code and performing other malicious behaviours, though there is no evidence claimed by the research on the current version of Fireball performing such activities.

Advice on cleanup and prevention

For cleanup, please use Microsoft Safety Scanner to scan and remove any malicious applications:

https://www.microsoft.com/security/scanner/default.aspx

Advices to prevent infections:

1. Please do not download and install software from unverified sources. Be cautious when installing some software which claimed to be free or offer some benefits but need to enable additional features.
2. Ensure baseline protection of your computers with anti-virus program or Internet security application, and install security update of OS and software.

Reference

• http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/
• https://www.hkitblog.com/?p=39470 (Chinese)