Adware in the Real World (Fireball)

So in this video, we’re going to talk about Fireball. And Fireball is an interesting piece of malware. I think this is going to be, well maybe one of the first times that we’ve seen malware that was provisioned the way that Fireball was. So Fireball is primarily a web browser hijack tool that could direct users to sites of the attacker’s choice. And if you remember, the goal of adware is to generate revenue. So if every time you open up your browser or you search for something, if you search for one site and it directs you to another site, that’s potential revenue gain for that redirected site. And so that’s why it did it like it did.

In 2017, Fireball infected over 250 million devices and 20% of corporate networks worldwide. So that’s a huge, huge amount of networks to be infected with this. And it was typically bundled, this is what we refer to as a bundled attack with legitimate freeware. And freeware is anything that, as the name implies, is free, so things like GitHub would be considered freeware. But there are other sites, if you go to SourceForge or other things like this, where they offer one specific thing for free. And so what would happen when you bundle it is you download the freeware, and then along with the freeware’s another binary. And that’s where this Fireball would come in.

And this is different than with a virus or even a Trojan because it’s not injecting it into the other two are trusted binary, it’s just grabbing both and downloading them. Because of these bundling attacks, there’s a lot of theories behind ISPs that have been compromised, that allow for something like this to happen. ISP stands for your internet service provider. So that’s your Comcast or your Xfinity kind of thing. Or that at least the organizations that have been compromised, it exist at a lower level than just a company. It’s somewhere within the network of your internet.

And I think that’s an abstract idea, but if you think about it, it’s all the stuff outside of your house or your company, between your house and your company, and the place that you’re getting your data from. All of those things are potential nodes and a chain that could be vulnerable, as something corrupted, taken over, et cetera. And once one of those things are, it’s possible they can intercept and modify data and transmit all the way back to you. And that’s what they’re saying happens in a bundle attack, or one of the things that could happen in a bundle attack. And experts believe that it was created and operated by a Chinese marketing company called RafoTech.

And what’s interesting about this is, this is where we start to see a company creating and selling malware. And in some cases, it was used for companies. So it’s a weird thing where it’s like, “Hey, company wants to make money”. And you can go out to the darknet, and you can see the ads for “Hey, we want to be able to get our software to, or we want to be able to get in front of x amount of millions of customers”. So a company would come along, they create something like Fireball, and say, “Hey, we can get you in front of that many people. We’re going to do a bundling attack. We’ll drop our adware on to their system.

And then you can do it”. And it’s this kind of weird economy for malware, and it’s something you don’t ever hear about. When we talked about our previous Tacker levels before, when you talk about advanced persistent threat types of attackers, they are full corporate agencies. They have employees, they have an HR department, they have a marketing department, they have revenue and losses, they may have a board of directors. So it’s odd to think about these enterprises of malicious hackers that are creating products and selling them to other potentially malicious organizations. The same way that a non-malicious organization would do it on our side. So that whole infrastructure exists. And it’s something that’s never really brought up very often.

So what we’re going to do now is, I actually wasn’t able to find a sample of Fireball that we can play around with. What I want to do is just go into a different malware sample toolkit, as opposed to VirusTotal. We’re going to look at IBM’s X-Exchange, and we’ll just see what that shows us. OK, so we are logged in. This is another free tool. There are of course paid versions of it if you had a subscription to it. And all of these things work the same way. They’re all community-built tools where people submit their own research, their own samples.

And the idea is that if we’re all talking about it and we inform each other, then we’ll be better protected as a whole. So what we’re going to do is we’re just going to go ahead and search for Fireball.

And we can see we get a couple of different things here. Let’s go ahead and just grab this top one here, this Fireball malware.

So this time, it provides us with some hashes of what the malware would look like. So if you have a piece of software on your system and you run a hash for it, remember, if you do MD5, you can take that hash and compare it against one of these to see if it is the Firewall malware. Here, we’ve got C & C, or C2, or command and control addresses. And these are the addresses that once you’re compromised, it would call back out to you. Or these are addresses that are in some way affiliated with that piece of malware. So you can see some of these addresses.

If you go out now and look for some of them, like Trotux, you’ll see that Trotux is no longer in service. It’s been parked, the domain’s been parked, which is what we call it when basically a domain provider has it, but no one’s using it. So they’re probably changing. And you can see down here, they start to go to CloudFront, which probably means that they’re able to rapidly change C2 domains, that you have that random string in front of a CloudFront.net, which means every few minutes or every few requests, however they want to set it up, they could change what their C2 domains are.

On the right here, we have a bunch of different reports to talk about, different things. We can go ahead and click on one of these. This one here looks good. Let’s say, this one, sure.

And it just tells us again, it’s got a report hash for us. It would tell us any information about the thing that the reporter reported. You can see that they provided MD5 hash, that they considered a high risk. And most of this is similar to what we’ve seen in VirusTotal. This is just a different place to get it. And so sometimes, it’s good to have multiple sources, especially if you need to cross-reference. There’s nothing wrong with looking something up in VirusTotal and looking it up in IBM X-force , to see if there’s any additional or different information. In the next section, we’re going to be talking about spyware. So we’ll go ahead and hop into it.