Virus plays fast and loose with online poker

Posted on 16 May 2006 at 15:14

A rootkit virus - one which is hidden from the very operating system of a computer - has been discovered in a program designed to help online poker players tot up monies owed them by casinos after games.

Checkraised.com stopped distributing its Rakeback Calculator after it was discovered that versions of the software secretly installed components that gave the author remote access to login information for a variety of websites, including Partypoker, Empirepoker, Eurobetpoker and Pokernow.

Potentially, the author could log in to these accounts and set up a poker game against him/herself, ensuring that the victim would lose.

The components were hidden by a rootkit driver that essentially tells Windows to ignore these files, rendering them invisible to applications, including security programs such as Norton Antivirus. Indeed Checkraised.com says that when the developer built the application, each version would be submitted to the company via email and scanned for viruses. Yet the rootkit code remained undetected.

However, Finnish security company F-Secure's Blacklight rootkit detection utility found the malicious software. Checkraised.com says it has now reported the findings to other antivirus companies, such as CERT, Symantec, McAfee, and TrendMicro.

Checkraised.com is advising users to change all poker site passwords and to check your computer for evidence of the infection, adding that the code may have been bundled into other applications which have nothing to do with the company.

It says it will no longer develop executable applications and that future programming will be done in-house.

Kimmo Kasslin, a researcher at F-Secure's Data Security Laboratory said: 'Following the exponential rise of interest in online poker, it is inevitable that malware authors would follow suit with programs to separate players from their money. What is significant is the fact that this particular scam was hosted, albeit unwittingly, on a legitimate site and used rootkit technology to cloak itself. Without our unique Blacklight technology to detect it, many online gamblers could have become victims of this exploit.'

For manual instructions for checking and removing the rbcalc.exe files, visit the Checkraised.com website. The company claims that its other properties are not affected by the issue.

More information on F-Secure's Blacklight rootkit detection technology, visit F-Secure.com/Blacklight.

Author: Matt Whipp