Researchers from Check Point Software discovered that more than 250 million Windows computers worldwide were infected, SecurityWeekreported. According to the company’s blog, Fireball malware is like “a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do so much more.”
As noted by the International Business Times, Microsoft disputed the infection numbers. It claimed that the malware never passed the 5 million mark, according to the software giant’s internal metrics. So who’s right and who’s wrong? More importantly, does it matter for enterprise IT security?
Fanning the Flame of Fireball Malware
Both Check Point and Microsoft agreed that the malware originated from a Chinese digital marketing agency called Rafotech, which uses the code to infect machines, hijack browsers and steal personal information. The company’s fake search engines rank among the world’s top 10,000 websites and occasionally break the top 1,000. It claims to have around 300 million users worldwide, which is suspiciously close to the 250 million infections reported by Check Point.
Using legitimate-seeming digital certificates, Rafotech managed to bundle Fireball with both its own products and other freeware. However, it ensured that both its fake search engines and the malware itself didn’t carry any identifying marks.
For the moment, Fireball installs plugins and additional configurations to boost advertisements. It also uses tracking pixels to collect personal data and redirect search queries.
Check Point noted, however, that the program can also run arbitrary code, download applications and harvest more sensitive information, such as banking and medical details. Since Fireball “displays great sophistication and quality evasion techniques” such as antidetection functions, multilayer structure and a flexible command-and-control (C&C), it’s only a matter of time before this threat grows from an inconvenient issue into a big problem. Even if Rafotech never uses it this way, cybercriminals could deconstruct and leverage the source code as the basis for new infections.
A Heated Dispute
According to Ars Technica, Microsoft has been tracking the malware since 2015 and offered a different take on the number of infected users. Basing its results on Fireball infections cleaned by both Windows Defender and the Malicious Software Removal Tool, the total came in around 40 million.
Microsoft argued that while the threat of Fireball is real, the extent of its reach “might have been overblown.” The software giant pointed to Check Point’s data collection methods, claiming that since the researchers used the number of visits to malware-carrying search pages and not endpoint device data itself, there’s no way to know if every machine that stopped by was actually infected.
A Lake of Fire
Microsoft stated that neither the Edge browser nor Windows 10 S are vulnerable to this type of malware. And while the company’s data might be more accurate, the dust up doesn’t showcase any disagreement on the method of infection or the potential destructive force of Fireball.
Think of it like this: For Check Point, this new malware strain is like a bonfire, burning bright across continents and computers. For Microsoft, it’s a lit match — it stings if it burns, but quickly goes out. The problem is that both flames are lit above a lake of gasoline. Big or small, the result is devastating if they go over the edge.
The Fireball malware may have infected 250 million devices, or maybe it was more like 40 million. But cold, hard numbers aside, there’s real potential here for users to get burned.