Fireball adware

A Chinese digital marketing company named Rafotech is behind a wave of inter-connected adware families that found their way onto the computers of millions of users, says Israeli cyber-security firm Check Point.

According to an extensive investigation, Check Point claims Rafotech has designed a very intrusive adware that hijacks people's browsers with the primary purpose of redirecting traffic to fake search engines.

These fake search engines do nothing more than divert search queries through Google and Yahoo's affiliate programs, earning the Chinese company a commission.

Fireball adware family is on a rampage

Rafotech spreads its adware by bundling it with legitimate software, sometimes without giving users the opportunity to opt-out of the installation.

This tactic has landed various of its adware strains on the computers of over 250 million computers, according to a rough estimation from Check Point's team.

The most affected countries are India (25.3 million infections - 10.1%), Brazil (24.1 million - 9.6%), Mexico (16.1 million - 6.4%), and Indonesia (13.1 million - 5.2%). The US is also on the list with 5.5 million infections, accounting for 2.2% of the total global infection numbers.

Fireball infographic

Furthermore, experts believe the adware made its way in over 20% of all corporate networks, which means that one in five companies has a computer infected with this adware, which Check Point nicknamed Fireball.

Fireball adware has backdoor trojan-level capabilities

The adware's reach inside corporate networks is a big issue because adware, in general, has evolved in the past year. As Bleeping Computer's malware expert Lawrence Abrams wrote numerous times in our adware removal guides, most of today's adware contains the same features found in banking or backdoor trojans.

Fireball is one of those adware families. Check Point experts said yesterday in a report that Fireball contains features that allow the Chinese company to push and execute any file (malware) to the victim's computer.

Because the adware is so intrusive at the browser level, experts fear that its maintainers would have no technical impediment from switching from a revenue model that's based on traffic redirection and ad injection to something that involves stealing user credentials.

Fireball's fake search engines rank in Alexa Top 10K

If you're wondering how come you've never heard of a malware family that infected over 250 million computers, the explanation resides in the fact that Check Point refers to all the adware created by Rafotech as Fireball.

Adware strains like the one Rafotech create are usually referred to by the name of the site it redirects traffic to. For example, Fireball contains adware strains such as the hugely prevalent Youndoo adware [removal guide], Trotux [removal guide], Startpageing123 [removal guide], Luckysearch123 [removal guide], Hohosearch [removal guide], Yessearches [removal guide], and many others.

Some of these fake search engines to which Fireball adware strains redirect traffic can be found in the Alexa Top 10,000 most popular sites on the Internet. Some of these fake search engines received so much traffic that a few managed to break into the Alexa Top 1,000 site list, well above many legitimate sites. This shows the massive scale of Rafotech's operation.