Microsoft has challenged a report claiming that 250 million Windows PCs were infected with browser hijacking malware called Fireball.
There’s no question that Fireball, which security firm Check Point called out recently, is not what you want on your Windows PC. However, Microsoft has cast doubt on a recent report by the Israel-based security firm that the malware infected as many as 250 million PCs.
Fireball is a malicious browser extension that often comes bundled with other wanted software. The malware switches the browser’s preferred search engine to a fake one that contains code to track the user's web activity.
Microsoft’s malware researchers say it’s actually an old threat that it’s been tracking since 2015 and fairly narrow in impact.
“While the threat is real, the reported magnitude of its reach might have been overblown,” said Hamish O’Dea, a principal antivirus research at Microsoft’s Windows Defender Research unit.
In the nearly three years Microsoft has tracked the malware it’s only observed it attempting to “persist on an infected machine, monetize via advertising, or hijack browser search and home page settings.”
Check Point said that the malware could be used for more harmful purposes, including using its backdoor to leak data from enterprise networks.
O’Dea highlights potential problems in how Check Point arrived at its estimate of 250 million infections, noting its methods can be "tricky". The security firm used the number of visit to fake search pages for its estimate, and Microsoft arrived at very different numbers based on telemetry data from 300 million Windows PCs with its Windows Defender antivirus installled.
O’Dea presents data that suggests at most, during any given month, around 4 million PCs were impacted the browser hijacking malware. The peak was in October 2016, and infections have declined dramatically since.
“Not every machine that visits one of these sites is infected with malware. The search pages earn revenue regardless of how a user arrives at the page. Some may be loaded by users who are not infected during normal web browsing, for example, via advertisements or domain parking,” he explained.
O’Dea reckons the significant drop-off in infections since October was the result of Microsoft actions using Windows Defender and the Microsoft Malicious Software Removal Tool (MSRT), which identified offending software bundles and blocking them from installing on Windows.
Check Point has defended its estimated, which it notes that its figures are is based on a combination of data from Alexa and from our own ThreatCloud network of sensors.
"Our threat intelligence team has been fully cooperating with Microsoft researchers on their analysis," the company said in a statement to CSO Online.
"We see no logical reason for a user to enter the fake search engine pages if not infected, and relate the gap in the calculated number of infected machines to our analysis being merely an estimation, and to Microsoft’s data relying solely on endpoints with a legally licensed copy of Windows.
It is noteworthy that in the last couple of days, a person related to one of the Chinese companies involved in Fireball approached us to mention that there are “only” 30-40 million installs. So in any case, this is the minimal number of global installs."