Advertising can sometimes be annoying — and sometimes it can be malicious. Businesses that make their money selling advertisements sometimes go too far trying to make sure you see their ads. Recently researchers found that one such business — a big digital-marketing agency — went as far as installing adware on 250 million computers running Windows and macOS all over the world.
What’s even worse, this adware is capable of turning into full-fledged malware that can divert users to malicious sites and drop malware on their computers. And no one seemed to notice it — until now.
The stealthy Fireball
Adware is a type of application that shows you ads or collects data about you for purposes of profiling you and selling that profile to advertising agencies, which, in turn, show you ads. The most common way adware sneaks onto computers is when it comes bundled with other software. Adware creators are willing to pay for the bundling, so some developers of free software are actually eager to bundle it with their products to monetize them.
However, bundling can look quite different depending on the developers. Whereas normally you are notified about additional software being installed alongside the app you want, Fireball, the adware in question, doesn’t prompt users or give them a chance to opt out of the installation — it just stealthily installs. It’s important to note that the bundled adware doesn’t necessarily install at the same time as the freeware program you were interested in. The adware might be dropped in later, when you’re less alert to potential installation issues.
My big fat adware cleaning (or why it's difficult to remove adware from your PC) – http://t.co/LGtUqlKFgL pic.twitter.com/wnSskYlXh2
— KasperskyUK (@kasperskyuk) February 2, 2015
Fireball is a browser hijacker, which means it modifies your browser to serve its creator’s purposes. The modification involves changing the homepage and the default search engine as well as blocking your attempts to change them back. The fake search engines Fireball sets as defaults contain tracking pixels that gather data about users to use for marketing purposes. Also, Fireball has the ability to execute any code on the infected computer and download browser extensions or other software.
What’s interesting is that despite its malicious nature, Fireball is signed with legitimate digital certificates, which makes it seem innocuous. It also implements other detection-evasion techniques to make it harder for security suites to find it and mark it as malicious. That’s why no one noticed the spreading epidemic for some time — Fireball seemed to be a totally legit app.
Why Fireball is so dangerous
Additional ads together with additional tracking might seem bothersome but not dangerous. However, Fireball’s ability to download and install browser extensions and execute code on an infected device makes it a perfect backdoor — one that can be used, well, in a lot of different ways: mostly for dropping bad stuff onto your computer to harvest critical information or infect your device with various kinds of malware.
According to the researchers who discovered Fireball, it has already infected more than 250 million devices worldwide, and it can be found on one in every five corporate networks. If (or once) its creators decide to use it for espionage, Fireball could become a global catastrophe.
Fireball malware infects 250 million computers worldwide – https://t.co/41FE02cqlO
— Threatpost (@threatpost) June 2, 2017
How can I tell that I’m not infected?
Despite Fireball’s stealth, it’s quite easy to spot. Open your browser and look at the homepage — is it the homepage you set? How about the default search engine? Can you modify the settings to change your homepage and default search engine? If you answered no to any or all of those, you might be infected with adware, be it Fireball or something else.
If nothing blocks your attempts to modify the settings and you are sure that your homepage and default search engine are intact, you are probably not infected with Fireball. But nonetheless, why not run a virus scan? Better safe than sorry.
Shields vs. Fireballs
As you probably know if you play RPGs, the best protection against fireballs is a magical shield. In this case, a good security solution is your magical shield.
For example, to protect your computer from adware, you can change the settings in Kaspersky Internet Security to deny installation of so-called potentially unwanted programs. The software will then detect and block any attempts to install adware, keeping Fireball and its ilk off your computer. You can learn how to adjust those settings here.