Understanding the true size of "Fireball"


Keeping tabs on the movement of cybersecurity threats, understanding the size and scope of attacks, and disrupting cybercriminal campaigns through next-gen technologies are fundamental parts of our day-to-day work at Microsoft Windows Defender Research.

So when recent reports of the "Fireball" cybersecurity threat operation were presented as a new discovery, our teams knew differently because we have been tracking this threat since 2015. While the threat is real, the reported magnitude of its reach might have been overblown.

As the group of malware and unwanted software families in the Fireball suite have evolved over time, so has our protection and defense against it. Windows users are protected from this group of threats through Windows Defender Antivirus and Microsoft Malicious Software Removal Tool (MSRT). As another layer of protection, Windows 10 S only allows apps that come from the Windows Store to run. None of these malware and unwanted software is present in the store, therefore Windows 10 S users are further protected from this threat group.

The Fireball suite

Initial Fireball infections come exclusively through software bundling. The malware is installed with programs that users download through their browser, often when looking for apps or media of dubious origin (pirated apps, games, music or video, cracks or keygens, etc.).

The Fireball suite often carries clean programs with it. The suite uses these clean programs as host processes to load their malicious code in an attempt to evade behavior-based detection.

In almost three years of tracking this group of threats and the additional malware they install, we have observed that its components are designed to either persist on an infected machine, monetize via advertising, or hijack browser search and home page settings.

The most prevalent families in the Fireball suite are BrowserModifier:Win32/SupTab and BrowserModifier:Win32/Sasquor.

The relational diagram shows that a software bundler such as ICLoader can install Sasquor, which installs Xadupi, which in turn installs SupTab. Xadupi can also be installed directly by software bundlers, such as ICLoader.

Figure 1: The relational diagram shows that a software bundler such as ICLoader can install Sasquor, which installs Xadupi, which in turn installs SupTab. Xadupi can also be installed directly by software bundlers, such as ICLoader.

Fireball’s main payload is to hijack your browser’s home page and default search settings. It does so either by modifying the browser’s settings directly or by circumventing the settings (for example, changing the shortcuts used to launch the browser).

As a result, the malware’s search page loads without your consent and the malware creators earn revenue from searches done through the page.

An example of one of the many pages that the malware redirects victims into without their consent

Figure 2: An example of one of the many pages that the malware redirects victims into without their consent

The difference between estimated visits and infections

In their report, Check Point estimated the size of the Fireball malware based on the number of visits to the search pages, and not through collection of endpoint device data. However, using this technique of site visits to estimate the volume of infected machines can be tricky:

  • Not every machine that visits one of these sites is infected with malware. The search pages earn revenue regardless of how a user arrives at the page. Some may be loaded by users who are not infected during normal web browsing, for example, via advertisements or domain parking.
  • The estimates were made from analyzing Alexa ranking data, which are estimates of visitor numbers based on a small percentage of Internet users. Alexa’s estimates are based on normal web browsing. They are not the kind of traffic produced by malware infections, like the Fireball threats, which only target Google Chrome and Mozilla Firefox. The Alexa traffic estimates for the Fireball domains, for example, differ from Alexa competitor SimilarWeb.

We’ve reached out to Check Point and requested to take a closer look at their data.

On the other hand, through intelligence gathered from 300 million Windows Defender AV clients since 2015, plus monthly scans by the MSRT on over 500 million machines since October 2016, we can see the scale of the Fireball threat over time.

: Number of machines with BrowserModifier:Win32/SupTab that Microsoft antimalware products have detected and cleaned

Figure 3: Number of machines with BrowserModifier:Win32/SupTab that Microsoft antimalware products have detected and cleaned

The spike in October 2016 reflects when we added the SupTab family to MSRT.

Number of machines with BrowserModifier:Win32/Sasquor that Microsoft antimalware products have detected and cleaned

Figure 4: Number of machines with BrowserModifier:Win32/Sasquor that Microsoft antimalware products have detected and cleaned

The spike in October 2016 occured when the Sasquor family was added to MSRT. We saw a less pronounced spike for Sasquor than we did for SupTab. Sasquor was not distributed as long as SupTab before we added the Sasquor detection in MSRT.

The complete set of malware families behind the Fireball operation was added to MSRT over the course of three releases: September 2016, October 2016, and February 2017.

Our blogs for the October 2016 and February 2017 MSRT releases describe the details of the malware and unwanted software families and their relationships:

The following charts show the number of machines that MSRT cleaned for the four most prevalent Fireball families and the global prevalence of the Fireball suite:

The chart illustrates the impact MSRT had on the infected population

Figure 5: The chart illustrates the impact MSRT had on the infected population

Regions where Fireball is prevalent

Figure 6: Regions where Fireball is prevalent

Notes on how the Fireball infection fizzles

Knowing the infection chain and understanding the Fireball suite behavior help us address the issue and protect your computing experience. We have not seen any changes on Fireball’s strategy. The following Windows 10 protection components contributed to addressing this threat:

  • Microsoft Edge is not affected by the browser hijacking techniques used by Fireball.
  • Through Windows Defender AV and Microsoft Malicious Software Removal Tool (MSRT), we have cleaned existing infections and reduced the threat distribution by:
    • Identifying bundlers that were installing the malware
    • Ensuring the bundlers stop including the threats in their bundles
    • Blocking the bundlers themselves
  • Windows 10 S works exclusively with apps from the Windows Store. Hence, the specific threats described in this blog do not work on Windows 10 S, nor do other similar threats that rely on less trustworthy software distribution mechanisms to deliver unwanted or unexpected functionality.

However, these threats are still actively developed and distributed today, and we will continue to monitor and provide protection against them.

Prevention, detection, and recovery

Fireball’s infection chain includes malware and software bundlers silently installing other applications. You need security solutions that detect and remove all components of this type of infection.

Ensure you get the latest protection from Microsoft. Keep your Windows operating system and antivirus, such as Windows Defender AV and Microsoft Malicious Software Removal Tool (MSRT), up-to-date. If you haven’t already, upgrade to Windows 10.

In Windows Defender Antivirus, you can check your exclusion settings to see whether the malware added some entries in an attempt to exclude folders from being scanned. To check and remove excluded items: Navigate to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection > Virus & threat protection settings. Under Exclusions, click Add or remove exclusions. Click + to go through the lists of options where you can select the excluded item that you want to remove.

Get real-time protection against the latest malware threats by leveraging the power of the cloud. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to Settings > Update & security > Windows Defender > Windows Defender Security Center > Virus & threat protection > Virus & threat protection settings and make sure that Real-time protection, Cloud-based protection, and Automatic sample submission settings are turned On.

Use the Settings app to reset to Microsoft recommended defaults that may have been changed by the malware in the Fireball suite. To configure, go to Settings > Apps > Default apps then click Reset.

For enterprises, use Device Guard, which can lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run.

Use Windows Defender Advanced Threat Protection to get alerts about suspicious activities, including the download of malware, so you can detect, investigate, and respond to attacks in enterprise networks. Evaluate Windows Defender Advanced Threat Protection for free.

 

Hamish O’Dea
Windows Defender Research

Comments (0)

Skip to main content