Telecom Tidbits
Jared's Network and Security Blog
  • Home
  • Telecom Corner
  • About
  • Contact
  • Donate
  • Site Index
  • Links

BOLO: FireBall Browser Malware

June 1, 2017 Jared Hall BOLOs, Internet Security

Checkpoint Software Technologies reported an outbreak of browser-based Malware called “FireBall“.   This malware delivers unwanted ads and popups and completely takes over your web browsers.  It was created by the Chinese advertising company, “Rafotech“.

ScreenShot262

FireBall gets installed as a bundle from other legitimate programs downloaded from the Internet.  However, it has a great deal of sophistication, including a Command and Control (C&C) architecture, malware downloaders, droppers, and sniffers, can perform remote code execution, and evades detection.  It is believed to have infected computers within 20% of all corporate networks.

  • 25.3 million infections in India (10.1%)
  • 24.1 million in Brazil (9.6%)
  • 16.1 million in Mexico (6.4%)
  • 13.1 million in Indonesia (5.2%)
  • 5.5 million In US (2.2%)

figure-1

Signs of infection include changing the browser’s Home Page and Search Engines.  Usually, the browser is changed to “Trotux”, but it can be any of the following:

  • attirerpage[.]com
  • s2s[.]rafotech[.]com
  • trotux[.]com
  • startpageing123[.]com
  • funcionapage[.]com
  • universalsearches[.]com
  • thewebanswers[.]com
  • nicesearches[.]com
  • youndoo[.]com
  • giqepofa[.]com
  • mustang-browser[.]com
  • forestbrowser[.]com
  • luckysearch123[.]com
  • ooxxsearch[.]com
  • search2000s[.]com
  • walasearch[.]com
  • hohosearch[.]com
  • yessearches[.]com
  • d3l4qa0kmel7is[.]cloudfront[.]net
  • d5ou3dytze6uf[.]cloudfront[.]net
  • d1vh0xkmncek4z[.]cloudfront[.]net
  • d26r15y2ken1t9[.]cloudfront[.]net
  • d11eq81k50lwgi[.]cloudfront[.]net
  • ddyv8sl7ewq1w[.]cloudfront[.]net
  • d3i1asoswufp5k[.]cloudfront[.]net
  • dc44qjwal3p07[.]cloudfront[.]net
  • dv2m1uumnsgtu[.]cloudfront[.]net
  • d1mxvenloqrqmu[.]cloudfront[.]net
  • dfrs12kz9qye2[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

To fix the problem, you must first uninstall the software from the Computer.  In Windows, this is in Control Panel -> Programs.  Then you must remove any browser plugins and reset the web browsers to their default values.

Malware removal programs like Super Anti-Spyware, MalwareBytes, or Adwcleaner can be used to cleanup the infection if their malware databases have been updated.

The original article from Checkpoint Software Technologies is here.

 

« HIPAA: Ransomware IS a Breach » SAMBA Bugs: Is Your NAS Updated?

Tools & Downloads

Download Center

Categories

Good Reads (PDF)

Recent Posts

  • PayPal Woes and Degenerative AI
  • A Pathetic Defense of Julian Assange
  • Damned if you do. Damned if you don’t.
  • ProtonMail? Not Worth an Electron!
  • Give it a REST: Serious WordPress Bugs
$
Select Payment Method
Personal Info

Donation Total: $20.00

↑

  • Home
  • Telecom Corner
  • About
  • Contact
  • Donate
  • Site Index
  • Links
Temporal Based Intelligence © 2017