Fireball

Fireball is an adware infection that has managed to infect more than 250 million computers around the world. This is an enormous number, a quarter of a billion computers! Fireball is designed to display pop-ups on the victim's computers. Today, PC security researchers estimate that one in five networks around the world has been infected with Fireball. It is especially distressing when one considers that Fireball has the potential to lead to serious threat infections. Malware analysts warn of the possibility of a severe threat epidemic as a result of a large number of computers already made vulnerable by Fireball.

Why The Con Artists Created Fireball?

Like most adware, Fireball is designed to hijack the victim's Web browser, changing its default search engine and tracking the victim's online activity. Fireball is linked to a digital marketing company based in Beijing that goes by the name Rafotech. One worrying aspect of Fireball is that it has the possibility of running corrupted code on the victim's computer or to allow the download of more threats onto the victim's computer. This means that Fireball has the potential to be quite a serious infection, despite the fact that it is currently being distributed as something much less serious. Fireball has the capacity to install a backdoor, which may be exploited to carry out devastating threat attacks.

The Potential Danger of Fireball

Some of the hundreds of millions of computers affected by Fireball were infected by a technique known as bundling. This involves including the installation of Fireball along with other software, especially free software downloaded from the Web. Some free programs that have been linked to the Fireball distribution include the Soso Desktop and the FVP Image Viewer. These two programs, however, are not popular in the United States or Europe particularly. Because of this, it is likely that Fireball also is being delivered using other techniques, which may include exploit kits or email attacks. The number of Fireball infections worldwide has been estimated by analyzing the domains that have been associated with Fireball redirects and connections, which may be low-quality search engines that load results from Google and Yahoo while monetizing the victim's Web traffic and delivering advertisements. Because of the use of Google and Yahoo search results being included in Fireball attacks, it is possible that these companies may be profiting from Fireball indirectly, but it is still uncertain if there is any connection with this adware scheme.

The Victims of Fireball may be Far More than We Know

By looking at traffic statistics for search engines associated with Fireball, PC security researchers have estimated that a quarter of a billion computers around the world have been compromised with Fireball. However, since not all domains associated with Fireball have been identified, it is possible that this number is still lower than the real figure. Rafotech, Fireball's developer, claims on its website that they have reached more than 300 millions of computer users. The countries that are most affected by Fireball are Brazil and India, with about 25 million of infected computers in each one of them. Infections in the United States only account for a small fraction of the Fireball attacks currently, at about 5.5 million affected computers.

Preventing Fireball Infections and Dealing with Fireball

It is unknown how unsafe Fireball is currently. While it carries out a typical adware tactic, displaying ads on affected computers and interfering with the victim's computer when browsing the Web, this is still a low-level infection. However, the extent of Fireball's reach and the fact that there is a backdoor component to Fireball makes the danger and epidemic potential of Fireball quite scary. Because of this, these attacks should be responded immediately. Use a trusted security program that is fully up-to-date and to scan your computer regularly.

Analysis Report

General information

Family Name:	Adware.Multiplug.A
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 405d3a9ad89a0504cbf9f359b57db976 SHA1: c7914663ae3cfaaf48901778f935740d7b581f85 SHA256: BFB0181B191C5ED528740899F4D7DF466D2A2AB73BF7E5EAF48E0170A2042B17 File Size: 299.52 KB, 299520 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have security information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)

Show More

• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

File Traits

• HighEntropy
• No Version Info
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	308
Potentially Malicious Blocks:	67
Whitelisted Blocks:	213
Unknown Blocks:	28

Visual Map

x ? ? x x x x 0 x x x x x 0 0 0 0 x x x ? 0 x 0 x x ? x 0 0 0 x ? ? ? x x 0 ? ? x 0 0 0 0 x ? x x x x x x x ? x ? x x ? 0 x 0 x ? ? ? x x x x ? ? x x x x 0 0 x 0 0 x x x x x ? x x x x x 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 x x ? ? ? x ? ? x x x x ? 0 x x x x 0 0 0 ? ? ? 0 2 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 3 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 1 0 0 1 0 1 1 0 0 0 0 0 1 0 0 0 0 0 2 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Multiplug.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\programdata\{726cb2ac-2e2f-1810-726c-cb2ac2e2cab0}\c7914663ae3cfaaf48901778f935740d7b581f85_0000299520	Generic Write,Read Attributes
c:\programdata\{726cb2ac-2e2f-1810-726c-cb2ac2e2cab0}\c7914663ae3cfaaf48901778f935740d7b581f85_0000299520.dat	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey

Show More

HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect

RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Network Info Queried	GetAdaptersInfo