FIREBALL MALWARE THREAT ADVISORY
The infection is bundled along with malicious software/browser plugins. The malware resides in the browser plugins and is capable of acting as a dropper of other malwares, generate adware traffic by manipulating the user’s traffic. The malware is also capable of tracking user’s private information.
Currently top fireball bundled products are:
- Deal Wi-Fi
- Mustang Browser
- Soso Desktop
It also need to be considered that the malware can be dropped via phishing attacks as-well. Once the browser infected the malware can turn computer into zombies to perform other activities and launch other attacks. It is cable of redirecting user traffic as desired & hence capable of monitoring user activities including credentials. One of the indication of the infection is the search engine and home page to be set to rofus.com and installation of unknown plugins.
Who is infected?
All flavors of OS can be infected with malicious products installed.
How to know if you are infected
Has anybody in your organization reported any of the below mentioned symptoms?
- Was your home page altered unexpectedly?
- Are you able to modify it?
- Was your default search engine altered? i.e. trotux.com
- Do you remember installing all your browser extensions?
- Was there any new installed plugin in the browser without your knowledge?
To remove the malware
To remove almost any adware, follow these simple steps:
Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.
For Mac OS users:
- Use the Finder to locate the Applications
- Drag the suspicious file to the Trash.
- Empty the Trash.
Scan and clean your machine, using:
- Anti-Malware software
- Adware cleaner software
Remove malicious Add-ons, extensions or plug-ins from your browser:
On Google Chrome:
- Click the Chrome menu icon and select Tools > Extensions.
- Locate and select any suspicious Add-ons.
- Click the trash can icon to delete.
On Internet Explorer:
- Click the Setting icon and select Manage Add-ons.
- Locate and remove any malicious Add-ons.
On Mozilla Firefox:
- Click the Firefox menu icon and go to the Tools tab.
- Select Add-ons > Extensions.
Ensure that you can limit the impact:
- Block access to known Indicator of Compromise (IOC) domains
- Follow effective privilege management in your organization – limit installation rights to “need to” bases only
- Control installation of unapproved software
- Don’t open attachments from untrusted email addresses
- Educate users about risks due to such applications
Not reported yet for this malware, but in general as lot malware delivery happens through tricking victims to click on links or open malicious attachments. Hence it advised to have strong e-mail filtering gateway.
The major issue here is that seemingly harmless attachments can create a lot of damage within an organization, aiding in everything from credential thefts to crypto-malware.
Today there are technologies available which can look at inbound e-mails and deconstruct attachments, basically meaning breaking up the attachments in functional elements and then reconstruct the attachment without potential harmful parts. An example could be a word-file being sent to you with a macro embedded in it. With the correct technology that word file can still be delivered to the user, but only after the macro has been removed from the file.
Help AG works with OPSWAT on data sanitization. The solution is installed as a mail transfer agent after your existing e-mail defenses and therefore does not require any change to user behavior.
Note: We integrate OPSWAT with sandbox solutions, which means you can perform behavioral based analysis on e-mail attachments.
Client Application Whitelisting
Application whitelisting can be a very efficient way of dealing with such malware, as it can stop untrusted executables from running on your machines.
Help AG works with a number of vendors, which have application whitelisting solutions, hereunder Carbon Black Protect and Symantec Endpoint Protection. Palo Alto Networks recently added signing certificate validation to the TRAPS platform, which also can add value.
Please note that there are of course big differences in the capabilities of each platform, but if you have any of them deployed you should investigate how you can use them to harden your environment.
Mukhammad Khalilov, Senior Security Analyst at Help AG