Microsoft throws cold water on claims Fireball virus infected 250 million PCs

Flickr via Matt Mets. Click for original.
(Image: © Flickr (Matt Mets))

Microsoft is firing back at security researchers who claim that a recently discovered virus has infected hundreds of millions of PCs. According to Microsoft, the virus exists, but the true tally of infected machines is closer to 5 million.

Check Point, the company behind the popular ZoneAlarm firewall and security products, recently released a report saying it discovered a "high volume Chinese threat operation" affecting more than 250 million computers around the world. Called Fireball, the malware takes over target browsers and turns them into zombies.

The culprit is a digital marketing agency (Rafotech) that is primarily using Fireball to redirect browser traffic to generate ad revenue, at least for now. However, once a system is infected with Fireball, the malware has the ability to download any files and/or additional dirty software

"Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware," Check Point warns.

Check Point called Fireball's spread to 250 million PCs and 20 percent of corporate networks around the world "alarming." These figures are based in part on Alexa's web traffic data, which shows that Rafotech's fake search engines have been gaining in popularity.

While Check Point only recently discovered Fireball, Microsoft says it has been tracking the virus since 2015 and that initially it came exclusively through software bundling. Pirated games and key generators were especially prone to bundling Fireball. Nevertheless, Microsoft says that the number of infected PCs is nowhere near what Check Point claims.

"In their report, Check Point estimated the size of the Fireball malware based on the number of visits to the search pages, and not through collection of endpoint device data. However, using this technique of site visits to estimate the volume of infected machines can be tricky," Microsoft stated in a blog post.

One reason why looking at the number of visits to search pages can be tricky is because not every PC that visits those sites are necessarily infected with malware. Microsoft points out that search pages earn revenue regardless of how a user arrives at a particular page.

"Some may be loaded by users who are not infected during normal web browsing, for example, via advertisements or domain parking," Microsoft says.

Microsoft also called into question the estimates that were made from Alexa's ranking data, which are estimates of visitor numbers based on a small percentage of of Internet users.

"Alexa’s estimates are based on normal web browsing. They are not the kind of traffic produced by malware infections, like the Fireball threats, which only target Google Chrome and Mozilla Firefox. The Alexa traffic estimates for the Fireball domains, for example, differ from Alexa competitor SimilarWeb," Microsoft points out.

In contrast to Check Point's data collection, Microsoft said it combed through intelligence gathered from 300 million Windows Defender AV clients since 2015, plus monthly scans by the MSRT on over 500 million machines since October 2016. In doing so, Microsoft said it witnessed Fireball fizzling over time. It also used the opportunity to promote its Edge browser in Windows 10, which is immune to Fireball's browser hijacking techniques.