Fireball is malware that has reportedly spread to over 250 million computers around the world. Masquerading as simple adware, Fireball may actually be more malicious. It has been examined by many security organizations and has been linked by several different indicators of compromise (IoCs).
While the payloads vary greatly, the impact is similar. It installs silently, includes persistent browser hijacking capabilities and is extremely difficult to remove.
VIDEO: Watch Cylance take on Fireball in real time:
While traditional adware is relatively innocent and usually easily removed, more malicious examples like Fireball are becoming more prevalent. Fireball has been found almost always bundled with other software, but it’s bundled in such a way that the typical user would not be aware of it – that’s the “hidden” aspect.
We have come across a few major packages, each containing various other adware programs such as QQBrowser, aMule P2P client, BiksQRSS and RSS client, and the list goes on.
However, this adware is not what the user should be worried about in terms of malware threat, as much of this adware is common, easy to remove, and not classifiable as malware.
The real issue is any of the several browser hijackers installed by this bundle. Taking the form of a DLL turned into a service, these payloads all install common persistence mechanisms and even clean up after themselves.
These services contain the browser hijacker functionality of Fireball. They perform the functions typical of a hijacker, changing your home page or redirecting your browser traffic to desired locations to generate advertising revenue for the malware author. This is not something you’d expect from traditional adware.
Many of these services also contain detailed logging capability. While many of the other bundles include files used for information gathering on the host. Again, gathering of information is usually not something done by adware.
Fireball has been shown to communicate this information over similar command and control (C2) channels, primarily being on the Amazon CDN Cloudfront.
As stated before, normally Fireball is delivered to your system embedded into another, potentially harmless application installer. Even when delivered using that mechanism, CylancePROTECT®’s predictive, pre-execution engine would’ve prevented the execution of the malware.
Whether executed by another program, service or even a user, CylancePROTECT would prevent the infection of your computer. CylancePROTECT with Optics gives unprecedented visibility into attacks and provides simply focused root cause analysis.