Fireball Malware: Know How It Works And Find Out If Your PC Is Infected

It looks like the gloomy cloud of malware attacks is in no mood to leave the digital world. First, it was the WannaCry ransomware attack on May 12, 2017 that brought more than 3,00,000 computers in over 150 countries to a standstill by infecting it.

While companies around the world are still trying to recuperate from ‘WannaCry ransomware’ attack, a newly installed Chinese malware is now targeting browsers and then turning them into zombies. The malware dubbed ‘Firewall’ has affected more than 250 million computers around the world.

Check Point, a data security firm, who was the first one to discover the new threat, said that the malevolent software is designed to hijack browsers to change the default search engine and home pages and track their web traffic on behalf of Beijing-based digital marketing firm called Rafotech and boost the ad network for them, reported WIRED on Friday.

“Although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections,” Check Point analysts said on their blog.

When installed, the software redirects a user’s browser to websites that fake the look of the Google or Yahoo search homepages. The fake pages then secretly collect private information of the user using so-called tracking pixels.

The firm said it has found that the malware also has the ability to remotely run code that launches unauthorized tasks on infected computers, including downloading more malicious malware and ultimately manipulating the infected users’ web traffic in order to generate ad-revenue. Such cyber spying can lead to theft of banking and credit card credentials, medical files, patents, and other confidential data.
“A quarter-billion computers could very easily become victims of real malware. It installs a backdoor into all these computers that can be very, very easily exploited in the hands of the Chinese people behind this campaign,” said Maya Horowitz, Head of Check Point Research Team.

Based on analysis of its own network of clients, Check Point estimated that one in five corporate networks globally have at least one infection, which is equal to 20% of corporate computers. This new malware has its major occurrences in India, followed by Brazil, Mexico and Indonesia, according to the analysis.
“But only a fraction of those victims, around 5.5 million PCs, are in the US. Far worse hit are countries like India and Brazil, with close to 25 million infected machines each,” the firm said.

The catch here is that Fireball has a legit digital certificate since it acts as an adware and not a vicious malware. The Fireball package is easily spread through the popular adware technique called ‘bundling’ where it is covertly inserted into free software downloads and installed without the user’s knowledge or sometimes with user’s authorization.

Rafotech uses bundling in high volume to spread Fireball. There are two major types of bundling used by Fireball – such as Rafotech products like ‘Deal Wifi’ or with freeware products like ‘FVP Imageviewer’. The most evident sign of an infection is finding your browser has been redirected to a new homepage.

“According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal,” Check Point writes. “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature.”

Adding further, Check Points writes that while “the full distribution of Fireball is not yet known, it is clear that it presents a great threat to the global cyber ecosystem. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years.”

How to find out if your system has been infected? 

To check if your system is infected or not, first, open your web browser and answer these simple questions: Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

If the answer to any of these questions is ‘NO’, then this is a sign that your system is infected with adware.

How do I remove the malware, once infected?

Some of the top search engines used by Rafotech are:,,, and others. To remove almost any adware, follow these simple steps:

Windows users can uninstall the adware by removing the application from the ‘Programs and Features’ list in the Windows Control Panel.

For Mac OS users:

Use the Finder to locate the Applications

Drag the suspicious file to the Trash.

Empty the Trash.

Note – A usable program is not always installed on the machine and therefore may not be found on the program list.

Scan and clean your machine, using:

Anti-Malware software

Adware cleaner software

Remove malicious Add-ons, extensions or plug-ins from your browser:

On Google Chrome:a.       Click the Chrome menu icon and select Tools > Extensions.

b.      Locate and select any suspicious Add-ons.

c.       Click the trash can icon to delete.


On Internet Explorer:a.      Click the Setting icon and select Manage Add-ons.

b.      Locate and remove any malicious Add-ons.


On Mozilla Firefox:a.       Click the Firefox menu icon and go to the Tools tab.

b.       Select Add-ons > Extensions.

A new window opens.

c.       Remove any suspicious Add-ons.

d.      Go to the Add-ons manager > Plugins.

e.      Locate and disable any malicious plugins


On Safari:a.       Make sure the browser is active.

b.      Click the Safari tab and select preferences.

A new window opens.

c.       Select the Extensions tab.

d.      Locate and uninstall any suspicious extensions.


Restore your internet browser to its default settings:

On Google Chrome:a.       Click the Chrome menu icon, and select Settings.

b.      In the On startup section, click Set Pages.

c.      Delete the malicious pages from the Startup pages list.

d.      Find the Show Home button option and select Change.

e.      In the Open this page field, delete the malicious search engine page.

f.       In the Search section, select Manage search engines.

g.      Select the malicious search engine page and remove from the list.


On Internet Explorer:a.       Select the Tools tab and then select Internet Options.

A new window opens.

b.      In the Advanced tab, select Reset.

c.      Check the Delete personal settings box.

d.      Click the Reset button.


On Mozilla Firefox:a.       Enable the browser Menu Bar by clicking the blank space near the page tabs.

b.       Click the Help tab, and go to Troubleshooting information.

A new window opens.

c.       Select Reset Firefox.


On Safari:a.       Select the Safari tab and then select Preferences.

A new window opens.

b.      In the Privacy tab, the Manage Website Data… button.

A new window opens.

c.      Click the Remove All button.

Additionally, ensure that your anti-virus software is working fine with its database updated to the latest one and is detecting malware or not. Further, stay away from free software, as those could be used to earn in the form of advertisements and maybe even by unethical means.

You can read more about the malware by clicking on the source link below.

Check Point