Fireball malware: Chinese police arrest hackers behind malicious code that infected millions

Chinese authorities have arrested at least 11 people suspected of developing and spreading the Fireball malware that infected an estimated 250 million computers and about 20% of corporate networks across the globe. Last month, security firm Check Point said it discovered a "high volume Chinese threat operation" that installed the malicious code onto targeted computers to hijack browsers to generate ad revenue, remotely run any code on a victim's infected machine and download additional malware.

"Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks", researchers said. "Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user's consent."

The operation was run by Beijing-based digital marketing firm Rafotech, the security company said.

According to Chinese newspaper Beijing Youth Daily, the hackers arrested were all Rafotech employees who earned over 80 million yuan ($11.84m, £9.05m) through fake clicks and by infecting users web traffic.

State-run news website Xinhua reported that a local security researcher analyzed Fireball's transmission methods and how the malware worked after reading Proofpoint's research on the malware. He discovered that Fireball carried the same malicious code found in Rafotech's freeware.

The researcher then used digital signatures to identify the company's registration information and the employees working for the firm that responsible for Fireball.

After turning the data over to police, at least 11 Rafotech employees were arrested on charges of sabotaging computer systems. The company's president, technical director and operations director were also included among the people arrested, Chongqing Morning News reported.

According to local police in Beijing's Haidian district, nine of Rafotech's employees ran the company's core operations and, despite being young, had years of experience in the IT industry with knowledge of anti-detection techniques.

Founded in 2015, Rafotech had more than 100 employees.

"They did consult lawyers before doing what they did," Haidian police said. "They tried to understand what was illegal so they would escape prosecution."

According to Check Point, some of the countries hardest hit by the Fireball malware included India, Brazil, the United States, Mexico and Indonesia. While the security firm estimated that over 250 million computers were infected by the malware, Microsoft asserted that it only infected 5 million computers.

Microsoft said it had been tracking the malware since 2015 and claimed that Check Point tracked the number of visits to the fake pages to get

"While the threat is real, the reported magnitude of its reach might have been overblown", Hamish O'Dea of Microsoft's Windows Defender research team said. "In their report, Check Point estimated the size of the Fireball malware based on the number of visits to the search pages, and not through collection of endpoint device data. Not every machine that visits one of these sites is infected with malware."