Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems.
Today, Microsoft said no. Redmond claimed that actually, far from being a recent discovery, it had been tracking Fireball since 2015 and that the number of infected systems was far lower (though still substantial) at perhaps 40 million.
The two companies do agree on some details. They say that the Fireball hijacker/downloader is spread through being bundled with programs that users are installing deliberately. Microsoft further adds that these installations are often media and apps of “dubious origin” such as pirated software and keygens. Check Point says that the software was developed by a Chinese digital marketing firm named Rafotech and fingers similar installation vectors; it piggy backs on (legitimate) Rafotech software and may also be spread through spam, other malware, and other (non-Rafotech) freeware.
Both companies similarly agree on what the software then does; directly, it hijacks your browser so that it uses a fake search engine (run, according to Check Point, by Rafotech) and a different homepage. But beyond that, it can also be used to download all kinds of other software, with Check Point saying that it uses typical malware anti-detection and command-and-control techniques to tell Fireball what to download and when.
The big discrepancy comes in estimating the number of victims. Check Point’s estimates are based on the company’s global network activity sensors, with circumstantial data traffic rankings from Alexa; Rafotech has a number of fake search pages that occasionally break into Alexa’s top 1,000 sites. Rafotech also claims that its marketing reach spans 300 million users, in the same ballpark as Check Point’s estimated 250 million infections. Further, the company says that about 20 percent of corporate networks are infected.
Microsoft, however, is estimating the level of infection from the number of machines that it has cleaned Fireball-distributed malware from, using both Windows Defender and the Malicious Software Removal Tool. The company doesn’t offer a number directly comparable to Check Point’s, but it’s around 40 million infections cleaned.
Microsoft’s estimates may be better than Check Point’s, but quite why it has decided to offer this counterpoint to Check Point is not entirely obvious. The number of infections is obviously a point of contention, but both companies are estimating, and it’s very unlikely that either company has exactly nailed the figure.
Perhaps more telling is that Microsoft’s blog a number of times points out that the new Windows 10 S wouldn’t be vulnerable. Because Windows 10 S can only install software through the Windows Store and hence can’t run arbitrary software installers (with their piggybacking malware), it’s immune to Fireball. That’s true and is certainly part of the reason why we feel Windows 10 S has some value for certain markets. But since it wasn’t available for the timeframe in question, it feels a little irrelevant to bring up.