Saturday, June 3, 2017

250 Million Computers Infected With FIREBALL - Chinese Malware:

Recently, security researchers from Checkpoint discovered that heavy volume of Chinese threat operation infected over 250 million computers around the globe. Fireball converts the web browser to zombies by hijacking the browser and does fake search engine utility. So, Fireball installs plugins to induce the advertisement and act as a distribution of potentially unwanted application, adware and malware. A large digital marketing company called Rafotech, Beijing based firm, users Fireball to manipulate the victim's browsers and turn it to default home page and fake search engine.

key findings from checkpoint researchers

 
Infection flow created by checkpoint researchers
Malware distribution around the world
According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:
·        25.3 million infections in India (10.1%)
·        24.1 million in Brazil (9.6%)
·        16.1 million in Mexico (6.4%)
·        13.1 million in Indonesia (5.2%)
5.5 million In US (2.2%)

INDICATORS OF COMPROMISE

C&C addresses

·        attirerpage[.]com
·        s2s[.]rafotech[.]com
·        trotux[.]com
·        startpageing123[.]com
·        funcionapage[.]com
·        universalsearches[.]com
·        thewebanswers[.]com
·        nicesearches[.]com
·        youndoo[.]com
·        giqepofa[.]com
·        mustang-browser[.]com
·        forestbrowser[.]com
·        luckysearch123[.]com
·        ooxxsearch[.]com
·        search2000s[.]com
·        walasearch[.]com
·        hohosearch[.]com
·        yessearches[.]com
·        d3l4qa0kmel7is[.]cloudfront[.]net
·        d5ou3dytze6uf[.]cloudfront[.]net
·        d1vh0xkmncek4z[.]cloudfront[.]net
·        d26r15y2ken1t9[.]cloudfront[.]net
·        d11eq81k50lwgi[.]cloudfront[.]net
·        ddyv8sl7ewq1w[.]cloudfront[.]net
·        d3i1asoswufp5k[.]cloudfront[.]net
·        dc44qjwal3p07[.]cloudfront[.]net
·        dv2m1uumnsgtu[.]cloudfront[.]net
·        d1mxvenloqrqmu[.]cloudfront[.]net
·        dfrs12kz9qye2[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

File Hashes

·        FAB40A7BDE5250A6BC8644F4D6B9C28F
·        69FFDF99149D19BE7DC1C52F33AAA651
·        B56D1D35D46630335E03AF9ADD84B488
·        8C61A6937963507DC87D8BF00385C0BC
·        7ADB7F56E81456F3B421C01AB19B1900
·        84DCB96BDD84389D4449F13EAC75098
·        2B307E28CE531157611825EB0854C15F

·        7B2868FAA915A7FC6E2D7CC5A965B1E

Conclusion

It is important to remove the adware plugins and check the default homepage in web browser. If we didn't know about the plugins, extensions installed and unknown homepage in our web browser then it is high chances that the system is infected with hijacker infection of this kinds. Highly recommended to update the anti-malware software with latest update, also use additional adware cleaner from top AV programs. Bringing back the web browser to default settings can fight the browser hijack. Also recommended to block the listed cnc addresses in the firewall to prevent this attacks.

Post by
newWorld



Source: CheckPoint blog

No comments:

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...