{"id":7863,"date":"2017-06-13T04:46:55","date_gmt":"2017-06-13T08:46:55","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=7863"},"modified":"2019-11-15T15:23:51","modified_gmt":"2019-11-15T11:23:51","slug":"fireball-adware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/fireball-adware\/7863\/","title":{"rendered":"Fireball: Adware with potential nuclear consequences"},"content":{"rendered":"<p>Advertising can sometimes be annoying \u2014 and sometimes it can be malicious. Businesses that make their money selling advertisements sometimes go too far trying to make sure you see their ads. Recently <a href=\"http:\/\/blog.checkpoint.com\/2017\/06\/01\/fireball-chinese-malware-250-million-infection\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">researchers found<\/a> that one such business \u2014 a big digital-marketing agency \u2014 went as far as installing adware on 250 million computers running Windows and macOS all over the world.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>What\u2019s even worse, this adware is capable of turning into full-fledged malware that can divert users to malicious sites and drop malware on their computers. And no one seemed to notice it \u2014 until now.<\/p>\n<h2>The stealthy Fireball<\/h2>\n<p>Adware is a type of application that shows you ads or collects data about you for purposes of profiling you and selling that profile to advertising agencies, which, in turn, show you ads. The most common way adware sneaks onto computers is when it comes bundled with other software. Adware creators are willing to pay for the bundling, so some developers of free software are actually eager to bundle it with their products to monetize them.<\/p>\n<p>However, bundling can look quite different depending on the developers. Whereas normally you are notified about additional software being installed alongside the app you want, Fireball, the adware in question, doesn\u2019t prompt users or give them a chance to opt out of the installation \u2014 it just stealthily installs. It\u2019s important to note that the bundled adware doesn\u2019t necessarily install at the same time as the freeware program you were interested in. The adware might be dropped in later, when you\u2019re less alert to potential installation issues.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">My big fat adware cleaning (or why it's difficult to remove adware from your PC) \u2013 <a href=\"http:\/\/t.co\/LGtUqlKFgL\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/LGtUqlKFgL<\/a> <a href=\"http:\/\/t.co\/wnSskYlXh2\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/wnSskYlXh2<\/a><\/p>\n<p>\u2014 KasperskyUK (@kasperskyuk) <a href=\"https:\/\/twitter.com\/kasperskyuk\/status\/562298359361576960?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 2, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>Fireball is a browser hijacker, which means it modifies your browser to serve its creator\u2019s purposes. The modification involves changing the homepage and the default search engine as well as blocking your attempts to change them back. The fake search engines Fireball sets as defaults contain tracking pixels that gather data about users to use for marketing purposes. Also, Fireball has the ability to execute any code on the infected computer and download browser extensions or other software.<\/p>\n<p>What\u2019s interesting is that despite its malicious nature, Fireball is signed with legitimate digital certificates, which makes it seem innocuous. It also implements other detection-evasion techniques to make it harder for security suites to find it and mark it as malicious. That\u2019s why no one noticed the spreading epidemic for some time \u2014 Fireball seemed to be a totally legit app.<\/p>\n<h3>Why Fireball is so dangerous<\/h3>\n<p>Additional ads together with additional tracking might seem bothersome but not dangerous. However, Fireball\u2019s ability to download and install browser extensions and execute code on an infected device makes it a perfect backdoor \u2014 one that can be used, well, in a lot of different ways: mostly for dropping bad stuff onto your computer to harvest critical information or infect your device with various kinds of malware.<\/p>\n<p>According to the researchers who discovered Fireball, it has already infected more than 250 million devices worldwide, and it can be found on one in every five corporate networks. If (or <em>once<\/em>) its creators decide to use it for espionage, Fireball could become a global catastrophe.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Fireball malware infects 250 million computers worldwide \u2013 <a href=\"https:\/\/t.co\/41FE02cqlO\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/41FE02cqlO<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/870620418083889153?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 2, 2017<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>\u00a0<\/p>\n<h3>How can I tell that I\u2019m not infected?<\/h3>\n<p>Despite Fireball\u2019s stealth, it\u2019s quite easy to spot. Open your browser and look at the homepage \u2014 is it the homepage you set? How about the default search engine? Can you modify the settings to change your homepage and default search engine? If you answered no to any or all of those, you might be infected with adware, be it Fireball or something else.<\/p>\n<p>If nothing blocks your attempts to modify the settings and you are sure that your homepage and default search engine are intact, you are probably not infected with Fireball. But nonetheless, why not run a virus scan? Better safe than sorry.<\/p>\n<h3>Shields vs. Fireballs<\/h3>\n<p>As you probably know if you play RPGs, the best protection against fireballs is a magical shield. In this case, a good security solution is your magical shield.<\/p>\n<p>\u00a0<\/p>\n<p><a href=\"https:\/\/me-en.kaspersky.com\/internet-security\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7865\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/06\/13044007\/cyberattacks_1280-270.png\" alt=\"\" width=\"1280\" height=\"270\"><\/a><\/p>\n<p>For example, to protect your computer from adware, you can change the settings in <a href=\"https:\/\/me-en.kaspersky.com\/internet-security\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Internet Security<\/a> to deny installation of so-called <em>potentially unwanted programs<\/em>. The software will then detect and block any attempts to install adware, keeping Fireball and its ilk off your computer. You can learn how to adjust those settings <a href=\"https:\/\/www.kaspersky.com\/blog\/tip-of-the-week-stop-adware\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Advertising can sometimes be annoying \u2014 and sometimes it can be malicious. Businesses that make their money selling advertisements sometimes go too far trying to make sure you see their ads. Recently researchers found that one such business \u2014 a big digital-marketing agency \u2014 went as far as installing adware on 250 million computers running Windows and macOS all over the world.<\/p>\n","protected":false},"author":675,"featured_media":7864,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[781,1172,542,1326,1327,1328,36,113],"class_list":{"0":"post-7863","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-ads","9":"tag-advertising","10":"tag-adware","11":"tag-fireball","12":"tag-hijacking","13":"tag-macos","14":"tag-malware-2","15":"tag-windows"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/fireball-adware\/7863\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/fireball-adware\/4282\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/fireball-adware\/11510\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/fireball-adware\/10597\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/fireball-adware\/10513\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/fireball-adware\/13086\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/fireball-adware\/13160\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/fireball-adware\/17777\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/fireball-adware\/3269\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/fireball-adware\/17015\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/fireball-adware\/8858\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/fireball-adware\/9141\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/fireball-adware\/6855\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/fireball-adware\/13233\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/fireball-adware\/15987\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/fireball-adware\/17015\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/fireball-adware\/17015\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/malware-2\/","name":"malware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/7863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=7863"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/7863\/revisions"}],"predecessor-version":[{"id":14828,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/7863\/revisions\/14828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/7864"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=7863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=7863"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=7863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}