Israel’s Check Point Discovers ‘Fireball’ Malware; 250 Million Computers Worldwide Infected

By Einat Paz-Frankel, NoCamels June 06, 2017

Israeli cyber-security firm Check Point has discovered new malware that recently infected 250 million computers around the globe. Called Fireball, the malware takes over browsers and essentially turns them into zombies. This browser-hijacker can reroute innocent victims to malicious sites and spy on them.

Fireball has the ability of running any code, downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

Top infected countries include India and Brazil, with about 25 million computers infected each. 16.1 million computers in Mexico have been infected so far, 13.1 million in Indonesia, and 5.5 million in the US. “The scope of the malware distribution is alarming,” Check Point says.

Fireball’s global infection rates, with the darker pink indicating more infections.

A massive security flaw”

According to the research team at Check Point, this operation is run by Rafotech, a large digital marketing agency based in Beijing, China. “Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines,” the analysts say. “This redirects the queries to either or The fake search engines include tracking pixels used to collect the users’ private information.”

The team warns that Fireball “has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines; this creates a massive security flaw in targeted machines and networks.”

Rafotech’s website was down today and the company was not available to comment.

SEE ALSO: Israel’s Check Point Reveals: More Than 1 Million Google Accounts Infected By ‘Gooligan’ Malware

According to Check Point analysts, among the 250 million computers infected worldwide, 20 percent belong to corporate networks. “The malware acts as a browser-hijacker but can be turned into a full-functioning malware downloader,” they say. “Fireball is capable of executing any code, resulting in a wide range of actions – from stealing credentials to dropping additional malware.”

Another indicator of the high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

“A pesticide armed with a nuclear bomb”

Check Point stresses that Fireball and similar browser-hijackers are “hybrid creatures, half seemingly legitimate software, and half malware.” Although Rafotech uses Fireball only for advertising and initiating traffic to its fake search engines, it can perform any action. “These actions can have serious consequences.”

How severe is it? Say the analysts: “Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more.”

For tips on how to check if your computer is infected, to remove the malware, or to avoid future infections, you may visit Check Point’s blog.

Founded in 1993 by Gil Schwed, Marius Nacht and Shlomo Kramer, Check Point went public in 1996. Its current market cap is $18.5 billion, and its shares trade on Nasdaq for $113.

SEE ALSO: How Israeli Cyber-Security Startups Are Battling The World’s Riskiest Online Hacks

Considered one of the world’s leading cyber-security companies, Check Point provides solutions that protect customers from cyber-attacks, including malware and other types of threats. Check Point protects over 100,000 organizations around the globe.

Cybersecurity israel

Photos and infographics: Check Point, Geralt