Fireball: Browser Hijacker/Adware

It has been reported that a malware named as "Fireball" targeting browsers is spreading worldwide. The malware "Fireball" has the ability to collect user information, manipulating web-traffic to generate ad-revenue, malware dropping and executing malicious code on the infected machines. According to the reports, Fireball currently installs plug-ins and additional configurations to boost its advertisements, but it could be used as distributor for any additional malware in future.
This malware is detected by majority of the antivirus solutions, users are advised to install and maintained updated antivirus solution to protect their computers from this malware infection.
Aliases:
Ad-Aware:-(Gen:Variant.Johnnie, Gen:Variant.Symmi, Gen:Variant.Zusy, Gen:Variant.Mikey) 
AegisLab:-(Troj.Generickd!c, Gen.Variant.Zusy!c, Adware.W32.Elex!c 
AhnLab-V3:-(PUP/Win32.ELEX) 
ALYac:-(Gen:Variant.Johnnie) 
Arcabit:-(Trojan.Johnnie, Trojan.Symmi, Trojan.Zusy, Trojan.Mikey, Trojan.Adware.Graftor, Adware.Generic) 
Avast:-(Win32:Adware-gen [Adw]) 
AVG:-(Generic7.BSRM, Elex.APU) 
Avira (no cloud):-(ADWARE/Adware.Gen7) 
CAT-QuickHeal:-(Pua.Elex) 
Comodo:-(Application.Win32.BrowseFox.qqtbw) 
ESET-NOD32:-(a variant of Win32/Adware.ELEX.AD) 
Fortinet:-(Riskware/Elex) 
F-Secure:-(Gen:Variant.Adware.Graftor, Gen:Variant.Adware.Zusy, Adware:W32/Elex) 
K7AntiVirus:-(Adware) 
K7AntiVirus:-(Riskware) 
Kaspersky:-(not-a-virus:AdWare.Win32.ELEX.ads) 
Kaspersky:-(HEUR:Trojan.Win32.Generic 
McAfee:-(RDN/Generic PUP.x, Artemis!84DCB96BDD84, Win32.Generic.cm, Win32.Dropper, Win32.Downloader) 
Panda:-(Trj/GdSda.A) 
Sophos:-(Generic PUA AD) 
TrendMicro:-(TROJ_GEN.R002C0EAT17) 
Webroot:-(W32.Adware.Gen) 
Yandex:-(PUA.Agent!) 
Yandex:-(PUA.ELEX!)
It is reported that the malware “Fireball” is used by one of the largest marketing agency to manipulate the victims’ browsers and changes their default search engines and home-pages into fake search engines. It also redirects the queries to either yahoo.com or Google.com.
 The fake search engines also collects the users’ private information.
Fireball is capable of performing following tasks:
  • Acts as a browser-hijacker manipulating web-traffic to generate ad-revenue
  • Capable of downloading further malware
  • Capable of executing any malicious code on the victim machine
  • Collects user information & steal credentials from victim machine



 
Installations:
Fireball is spreading via bundling, it gets installed on victim machines alongside other freeware programs, mostly without user’s consents. Popular vectors of spreading Fireball are bundling the malware to other products such as “Deal Wifi” and “Mustang Browser” or bundling via other freeware distributors/products such as “Soso Desktop”, “FVP Imageviewer” etc.

Upon installation, malware manipulates the victims’ browsers, it changes the default search engines and home-pages into fake search engines. It acts as a browser-hijacker, manipulates infected users’ web-traffic to generate ad-revenue. The fake search engine opened on victim’s infected web browser is shown below.

How to determine the infection
Open the web browser on your computer and try to:
  • The home page is set by you or not?
  • Are you able to modify the homepage?
  • What is the default search engine? Are you able to change the default search engine?
  • Check for the browser plug-in installed, some extra plugins installed by you?
If the answers to above questions is "NO", you might be a victim of Adware, it is requested to kindly scan your machine with updated antivirus.
Indicators of compromise (IoC)
Command & Control addresses:
attirerpage[.]com 
s2s[.]rafotech[.]com 
trotux[.]com 
startpageing123[.]com 
funcionapage[.]com 
universalsearches[.]com 
thewebanswers[.]com 
nicesearches[.]com 
youndoo[.]com 
giqepofa[.]com 
mustang-browser[.]com 
forestbrowser[.]com 
luckysearch123[.]com 
ooxxsearch[.]com 
search2000s[.]com 
walasearch[.]com 
hohosearch[.]com 
yessearches[.]com 
d3l4qa0kmel7is[.]cloudfront[.]net 
d5ou3dytze6uf[.]cloudfront[.]net 
d1vh0xkmncek4z[.]cloudfront[.]net 
d26r15y2ken1t9[.]cloudfront[.]net 
d11eq81k50lwgi[.]cloudfront[.]net 
ddyv8sl7ewq1w[.]cloudfront[.]net 
d3i1asoswufp5k[.]cloudfront[.]net 
dc44qjwal3p07[.]cloudfront[.]net 
dv2m1uumnsgtu[.]cloudfront[.]net 
d1mxvenloqrqmu[.]cloudfront[.]net 
dfrs12kz9qye2[.]cloudfront[.]net 
dgkytklfjrqkb[.]cloudfront[.]net 
dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe
File Hashes:
FAB40A7BDE5250A6BC8644F4D6B9C28F 
69FFDF99149D19BE7DC1C52F33AAA651 
B56D1D35D46630335E03AF9ADD84B488 
2579DF066D38A15BE8142954A2633E7F 
8C61A6937963507DC87D8BF00385C0BC 
7ADB7F56E81456F3B421C01AB19B1900 
84DCB96BDD84389D4449F13EAC750986 
5BCE955CF12AF3417F055DADC0212920 
2B307E28CE531157611825EB0854C15F 
7B2868FAA915A7FC6E2D7CC5A965B1E7 
66E4D7C44D23ABF72069E745E6B617ED
Countermeasures:
  • Do not click on banners or pop-up or ads notifications.
  • Check for the default setting of your web browsers, such as the default home page, default search engine, browser extensions and plug-ins installed etc. If found unknown setting then delete the same.
  • Monitor the traffic generated from client machines to the domains and IP address mentioned above in Indicator of Compromise (IoC) section.
  • In browser, set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Exercise caution while installing third party applications or freeware software solutions.
  • Do not visit untrusted websites.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Application white listing/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Malware sample drops and executes generally from these locations.
  • Enforce application whitelisting on all endpoint workstations.
  • Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
  • Enable a personal firewall on workstation.
  • Install and scan anti malware engines and keep them up-to-date.
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Disable unnecessary services on user workstations and servers, if not in use.
  • Maintain situational awareness of the latest threats; implement appropriate ACLs.



Share on Google Plus

About Cyber Security Awareness

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.