Adware that infects
your computer to display pop-ups is an annoyance. But when it infects as many as one in five networks in the world, and hides the capability to do far more serious damage to its victims, it’s an epidemic waiting to happen.
The security firm Check Point has warned of a massive new outbreak adware : They count 250 million PCs infected with malicious code they’ve called Fireball, designed to hijack browsers to change the default search engine, and track their web traffic on behalf of a Beijing-based digital marketing firm called Rafotech. But more disturbingly, Check Point says it found that the malware also has the ability to remotely run any code on the victim’s machine, or download new malicious files. It’s potentially serious malware, disguised as something more trivial.
The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country’s top defense contractors.
Check Point found that at least some portion of an estimated hundreds of millions of computers infected with Fireball contracted the malware via free software that was “bundled” with Rafotech’s code. The researchers point to freeware like Soso Desktop and FVP Imageviewer, both of which have been packaged with the adware in some cases. But since none of those free applications is particularly popular or even recognizable to Americans, Check Point’s Horowitz admits that the researchers don’t know if other common techniques, like phishing or exploit kits, are also used to install the malware. Rafotech didn’t respond to WIRED’s request for comment.
Check Point traced the Fireball infections to Rafotech by analyzing the domains of the command and control servers that the malware links back to. They were also able to check the registration of the domains used to host the highly obscure search engines—which actually load results from Google and Yahoo—Fireball forces on its victims.
The sensitive files have since been secured and were likely hidden from those who didn’t know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.
Rafotech may monetize the traffic of its infected computers by taking a fee when infected machines visit the website of one of its clients, Check Point speculates. The search engines to which it directs hijacked browsers use tracking pixels that could identify infected machines again when they end up on a destination site. But Check Point says it can’t be exactly sure how Rafotech profits from hosting Google and Yahoo search results on obscure sites. Neither Google nor Yahoo responded immediately to a request for comment about any potential involvement in the adware scheme.
Check Point arrived at its 250 million infections estimate by looking at Alexa traffic statistics to those search sites. But the security firm says it’s possible they missed some domains, and therefore undercounted. (Rafotech suspiciously boasts that it has a reach of over 300 million users on its website.) Based on analysis of its own network of clients, Check Point estimates that one in five corporate networks globally have at least one infection. But only a fraction of those victims, around 5.5 million PCs, are in the US. Far worse hit are countries like India and Brazil, with close to 25 million infected machines each.
Adware is a troubling nuisance. But Check Point warns that FireBall should be judged not by what’s it’s doing, but what it could do: Allow its administrators to turn their unwilling ad-revenue generation audience into a botnet, or to harvest credentials and other private data en masse.
“Something behind this is fishy, and the intentions of the developers aren’t only to monetize on advertisements,” she says. “We don’t know their plan, and if there really is one. But it looks like they want to have the opportunity to take it to the next level. And they can.”