This adware created a backdoor into 250 million PCs, say researchers

250 million machines are infected with revenue-generating Fireball adware which is also able to run any code on a victim computer.
Written by Danny Palmer, Senior Writer

One single type of adware is running on as many as 250 million PCs around the world - and one in five businesses, according to security researchers.

Dubbed Fireball , the campaign is based around hijacking and manipulating users' web-traffic, probably to generate ad-revenue, but the security researchers said Fireball also has the capability to perform any action on the victims' machine, creating a backdoor that potentially puts PCs at risk.

Uncovered by cybersecurity researchers at Check Point, the Fireball adware can be distributed with freeware products which means users may be unaware of what they are downloading.

Once installed on an infected machine, Fireball employs browser manipulation to redirect traffic from users' search engines and home pages to a different search engine - a fake overlay of Google or Yahoo - perhaps with the intention of allowing the developers to collect ad revenue from searches made.

The adware also uses tracking pixels - a pixel-sized image in the browser used for tracking website visits and other web activity to collect private information about the victim.


A fake search engine installed by Fireball

Image: Check Point

Check Point researchers say Fireball has infected 25 million users in India, 24 million in Brazil, 16 million in Mexico, and 13 million in Indonesia. Check Point analysis claims Fireball has infected 5.5 million in the US, with 10 percent of US corporations affected.

It's also thought that 10 percent of corporations in the UK, France and Germany have at least one machine with the Fireball adware on it.

Fireball's potential ability to become a malware distributor is highly advanced, offering technical sophisticated, evasion techniques and anti-detection capabilities that offers the distributors a critical backdoor Check Point said.

The Check Point researchers say the Fireball is run by a Chinese marketing company called Rafotech: ZDNet has contacted Rafotech about the claims, but is yet to receive a reply at the time of publication.

But there's a simple way to remove the adware -- the adware can be uninstalled using Programs and Features list in the Windows Control Panel, or the using Mac Finder function in the Applications folder on Macs. Users should also removing malicious add-ons, extensions or plug-ins from their browsers.


Editorial standards