Fireball: Browser Hijacker/Adware
Original Issue Date:-
June 02, 2017
It has been reported that a malware named as "Fireball" targeting browsers is spreading worldwide. The malware "Fireball" has the ability to collect user information, manipulating web-traffic to generate ad-revenue, malware dropping and executing malicious code on the infected machines. According to the reports, Fireball currently installs plug-ins and additional configurations to boost its advertisements, but it could be used as distributor for any additional malware in future.
This malware is detected by majority of the antivirus solutions, users are advised to install and maintained updated antivirus solution to protect their computers from this malware infection.
Ad-Aware:-(Gen:Variant.Johnnie, Gen:Variant.Symmi, Gen:Variant.Zusy, Gen:Variant.Mikey)
AegisLab:-(Troj.Generickd!c, Gen.Variant.Zusy!c, Adware.W32.Elex!c
Arcabit:-(Trojan.Johnnie, Trojan.Symmi, Trojan.Zusy, Trojan.Mikey, Trojan.Adware.Graftor, Adware.Generic)
Avira (no cloud):-(ADWARE/Adware.Gen7)
ESET-NOD32:-(a variant of Win32/Adware.ELEX.AD)
F-Secure:-(Gen:Variant.Adware.Graftor, Gen:Variant.Adware.Zusy, Adware:W32/Elex)
McAfee:-(RDN/Generic PUP.x, Artemis!84DCB96BDD84, Win32.Generic.cm, Win32.Dropper, Win32.Downloader)
Sophos:-(Generic PUA AD)
It is reported that the malware “Fireball” is used by one of the largest marketing agency to manipulate the victims’ browsers and changes their default search engines and home-pages into fake search engines. It also redirects the queries to either yahoo.com or Google.com. The fake search engines also collects the users’ private information.
Fireball is capable of performing following tasks:
- Acts as a browser-hijacker
- manipulating web-traffic to generate ad-revenue
- Capable of downloading further malware
- Capable of executing any malicious code on the victim machine
- Collects user information & steal credentials from victim machine
Fireball is spreading via bundling, it gets installed on victim machines alongside other freeware programs, mostly without user’s consents. Popular vectors of spreading Fireball are bundling the malware to other products such as “Deal Wifi” and “Mustang Browser” or bundling via other freeware distributors/products such as “Soso Desktop”, “FVP Imageviewer” etc.
Upon installation, malware manipulates the victims’ browsers, it changes the default search engines and home-pages into fake search engines. It acts as a browser-hijacker, manipulates infected users’ web-traffic to generate ad-revenue. The fake search engine opened on victim’s infected web browser is shown below.
How to determine the infection
Open the web browser on your computer and try to:
- The home page is set by you or not?
- Are you able to modify the homepage?
- What is the default search engine? Are you able to change the default search engine?
- Check for the browser plug-in installed, some extra plugins installed by you?
If the answers to above questions is "NO", you might be a victim of Adware, it is requested to kindly scan your machine with updated antivirus.
Indicators of compromise (IoC)
Command & Control addresses:
- Do not click on banners or pop-up or ads notifications.
- Check for the default setting of your web browsers, such as the default home page, default search engine, browser extensions and plug-ins installed etc. If found unknown setting then delete the same.
- Monitor the traffic generated from client machines to the domains and IP address mentioned above in Indicator of Compromise (IoC) section.
- In browser, set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
- Refer Desktop security: http://www.cyberswachhtakendra.gov.in/documents/Desktop_security.pdf
- Exercise caution while installing third party applications or freeware software solutions.
- Do not visit untrusted websites.
- Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Malware sample drops and executes generally from these locations.
- Enforce application whitelisting on all endpoint workstations.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
- Enable a personal firewall on workstation.
- Install and scan anti malware engines and keep them up-to-date.
- Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
- Disable unnecessary services on user workstations and servers, if not in use.
- Maintain situational awareness of the latest threats; implement appropriate ACLs.