Rootkit Infiltrates Online Poker Software

A Trojan with offensive rootkit features can hijack online poker credentials and send the information to the malware writer. The company distributing the rootkit-infested software blames it on a rogue programmer.

For online poker players, this was always going to be a losing hand.

A Trojan with malicious rootkit features hidden in a legitimate software package distributed by online gaming tools vendor Check Raised has the ability to hijack log-in information for multiple online poker Web sites, according to a warning from Finnish security vendor F-Secure.

The spying Trojan, identified as, was built into a Rakeback calculator application (RBCalc.exe) distributed by Check Raised to help online poker players keep track of scaled commission fees taken by the Web site operator.

The rake calculator is offered as an executable file that players runs on their machine to calculate rake from hands they previously played (stored in hand history files or a poker tracker database).

However, according to F-Secure virus researcher Jarkko Turkulainen, when the rake calculator is run, it silently drops several files into the Windows system directory to monitor running processes and spy on connections to several popular online poker Web sites.

The Trojans main file comes with rootkit functionality to hide its process and the registry launch point, Turkulainen said. A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer.

When the spying component is initialized, it starts a keystroke logger and connects to a remote server that is programmed to send instructions to the infected machines. The instructions range from the downloading of executable files, the uploading of stolen information, the shutdown of the Trojan and the ability to send application screenshots.

The backdoor also sends out sensitive information to remote servers, including keylogger database, computer name, and the username and password of several online poker programs.

/zimages/5/28571.gifClick here to read about how stealth rootkits are bombarding XP SP2 boxes.

Check Raised, in San Jose, Calif., acknowledged a virus was embedded on its rake calculator and pinned the blame on an unidentified programmer who created the application in December 2005.

In a warning posted on its Web site, Check Raised said early versions of the program received from the contracted programmer contained the malware that installs itself every time the user runs [the rake calculator].

"The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a third party contacted us about the malicious software," Check Raised officials said.

In the advisory, the company offered detailed instructions to manually remove the malicious software. "Please delete all instances of rbcalc (RBCalc.exe). We do not want any users running this software. The software will no longer be supported," Check Raised said.

"To prevent such situations from happening in the future, we do not plan on developing any executable applications. In addition, all future programming will be done in-house to ensure the maximum safety that we can provide to our users," the company added.

According to F-Secures Turkulainen, many online poker players could have been affected by a targeted attack against multiple poker applications.

The list of poker applications targeted by the Trojan includes PartyGaming.exe, mppoker.exe, poker.exe, gameclient.exe, ultimatebet.exe, absolutepoker.exe, mainclient.exe, pokerstars.exe, pokerstarsupdate.exe, partypoker.exe, fulltiltpoker.exe, pokernow.exe, multipoker.exe, empirepoker.exe and eurobetpoker.exe.

"Stealing money via stolen poker accounts might be hard to prove: [An] attacker could log in with your stolen account and then play poker badly against himself," F-Secure noted in its warning.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.