Fireball arrests made

Fireball arrests made

Following some arrests in China, we may see a decrease in the amount of adware and adfraud hailing from the Rafotech labs.

According to some reports 250 million machines may have been infected with one variant or another of Rafotechs’ products. We have shared some information about the potential risks associated with their malware before. But according to this article in The Register the organization may have been beheaded by the eleven arrests the Chinese police made.

This graph shows how many detections Malwarebytes (versions 2 & 3) reported back for the month of July so far. The numbers of detections shown in the graph are only for Adware.Elex and associated detections.

click to enlarge

As you can see we have hit the 30,000 detections per day on occasion. Keep in mind, there are other families attributed to Fireball, but these have different vendor names. Anyway, we hope this curve will take a dive very soon.

On the surface Fireball infections may seem like just another browser hijacker, that simply changes your start-page, and the default search engine, but a closer look reveals capabilities of ad fraud, data gathering, and to download and install other malware. Also the methods in use by Elex covered almost the entire range of methods, including rootkits.

Reports about the arrests vary, but all sources agree that some of the most important managers of Rafotech were included. Rafotech is a digital marketing agency that earns money by combining the adware and browser hijackers in bundlers.

Remind me to have another look at the graph next month, so we can see if the arrests have had the effect we hoped for.

Pieter Arntz


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.