Check Point Threat Intelligence and Research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies.

Fireball has two main functionalities:A? the ability of running any code on victim computersdownloading any file or malware, andA? hijacking and manipulating infected users web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users private information. Fireball has the ability toA? spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines. This creates a massive security flaw in targeted machines and networks.

Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the users consent. Top infected countries are India (10.1%) and Brazil (9.6%)

The scope of the malware distribution is alarming. According to an analysis, over 250 million computers worldwide have beenA? infected: specifically,A? 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States hasA? witnessed 5.5 million infections (2.2%).

Based on Check Points global sensors,A? 20% of all corporate networks are affected. Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates. Another indicator of the incredibly high infection rate is the popularity of Rafotechs fake search engines. According to Alexas web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.