Microsoft: 250M devices infected with Fireball is ‘overblown’

Some security researchers say Fireball hit more than 250 million computers. Microsoft is arguing it’s more like 5 million.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Microsoft argues that Fireball's spread might be overblown.

Afp / AFP/Getty Images

Researchers are warning that a virus has spread like wildfire, but Microsoft argues it's a lot of smoke and mirrors.

Earlier this month, security company Check Point said it discovered a Chinese operation that infected more than 250 million computers with Fireball, which can take over your computer's browser. Fireball spread through software bundling, by hiding  downloads from questionable sources, like pirated games or movies.

At that infection rate, it easily overshadowed the WannaCry ransomware, which hit about 200,000 devices at the height of the ransomware's spread last month.

While Fireball has the capability to hijack your browser and download more malware, the attackers had primarily been using it to redirect traffic from infected victims to certain websites where they could rake in ad revenue. The scheme, which Check Point said was run by a marketing agency in Beijing called Rafotech, would change a browser's default search engine and homepage to a fake page.

In a screenshot captured by Microsoft, one of the fake pages looked like a Google ripoff and featured a search engine called Trotux. Other fake search engines included HohoSearch, WalaSearch and StartPageing123.

Check Point described Fireball as a massive malware breach, but Microsoft disagrees.

Microsoft on Thursday released research showing it had been following Fireball since 2015, and hadn't seen it infect more than 5 million devices.

"While the threat is real, the reported magnitude of its reach might have been overblown," Hamish O'Dea, from Windows Defender research team, said.

Microsoft claimed that Check Point tracked the number of visits to the fake pages to get the "250 million infected" instead of looking at how many devices were actually hit with Fireball. Not every device that visits these bogus search engines might actually be infected, Microsoft said.

The Windows Defender gathered data on more than 500 million devices. Of the 5 million Fireball infections it spotted, the greatest number occurred in Brazil and India.

Microsoft has asked to get a closer look at Check Point's data, and the security company said it is cooperating. 

"We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more," Maya Horowitz, Check Point's threat intelligence group manager, said in a statement.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.