Microsoft: CheckPoint research overestimates global Fireball epidemic

News by Max Metzger

Microsoft has cast doubt on a CheckPoint report earlier this month which said that a piece of adware has infected nine percent of networks globally.

A new report from the Microsoft Windows security team, dubbed Understanding the true size of Fireball, claims to give a better understanding of the scope and scale of the problem.

Hamish O'Dea, a member of the Microsoft Windows Defender Research team, writes, “While the threat is real, the reported magnitude of its reach might have been overblown.” Nor is the threat new according to O'Dea, the team has known about since at least 2015.

The much publicised piece of adware, produced by Chinese marketing company RafoTech, hit headlines earlier in the month when it was said that Fireball could be found on up to nine percent of global networks. A report from Check Point said that it had infected over 250 million computers around the world by infecting browsers, hijacking their internet traffic and redirecting towards advertisements and search pages that would garner revenue for Fireball's controllers.

Its presence on nearly a tenth of all the corporate networks in the world was still tiny, compared to its presence on the networks of some individual countries. In India, Fireball could be found on up to 43 percent of corporate networks.

To boot, Fireball would install plug ins to boost those ads as well. Researchers warned that the same functionality could be used to distribute malware, although that had not yet been seen in the wild.

It could, however, all be a lot worse, according to researchers. They told SC, that they have “not yet seen Fireball being used for malicious activity such as downloading malware, but it has created a huge global network of 250 million machines with backdoors that can easily be exploited.”

O'Dea encourages those researchers to have another look at the data. O'Dea claims that Check Point evaluated the scale of infections based on the Alexa rankings it could find on the pages that Fireball redirects to and not, importantly, through data from endpoints.

Not every machine that visits one of these sites will be infected with malware, he writes, because those pages will earn revenue from visits regardless. Furthermore, Alexa ranking data is based on normal web browsing, so it only represents a fraction.

Microsoft's analysis through data from hundreds of millions of clients of Window's Defender AV and the Malicious Software Removal Tool (MSRT) show that infections from all families of Fireball amount, even at their height, to only a small fraction of the machines analysed.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews