Police arrest hackers behind explosive Fireball malware that infected 250 million computers

At least nine of the ring of hackers that developed the "Fireball" malware have been arrested by Chinese authorities, according to state-run news outlets.

Fireball's reach was one of the world's most extensive. News of it emerged a month ago, and it's been estimated to have infected 250 million computers worldwide -- or about 20 percent of corporate networks.

The hackers behind it worked at a Beijing digital marketing company named Rafotech, had earned more than 80 million yuan ($11.84 million) generating fake clicks and traffic to other websites, according to Chinese paper Beijing Youth Daily.

Fireball piggybacked on Rafotech's legitimate software, and hijacked browsers to force people to download other software.

It is likely to have been spread through spam, and via other programs installed -- typically cracked, pirated apps, says Ars Technica.

Original image has been replaced. Credit: Mashable

Israeli-based antivirus firm Check Point tracked the infection through looking at data rankings from Alexa, and was responsible for coming up with the 250 million infected figure.

These numbers have been disputed by Microsoft, which said that it had been tracking Fireball since 2015, and has cleaned about 40 million Fireball infections.

Still, Fireball's reach has clearly been impactful.

If Check Point's larger estimates are correct, the number of infected computers would dwarf the WannaCry ransomware attack, which was estimated to have infected 200,000 computers, and the Mirai botnet, which at one point infected half a million computers.

How they were busted

Rafotech's operations were exposed by a local security researcher, which sent data to local police, according to state-run Xinhua.

The security researcher said that he was able to analyse Fireball's transmission methods after reading overseas research on the malware, and provided evidence that Rafotech's freeware contained the same malicious code as found in Fireball. He then used digital signatures to determine the company's registration information, and the people responsible in the company.

Nine of Rafotech's employees were arrested on charges of sabotaging computer systems, while two more were detained, Xinhua reported.

Police in Haidian district said that the nine ran Rafotech's core operations, and while young, had years of experience in the IT industry, and knew anti-detection techniques.

The company had around 100 employees, Xinhua added, some of whom were involved in developing its freeware. "They did consult lawyers before doing what they did," according to Haidian police. "They tried to understand what was illegal so they would escape prosecution."