Poker rootkit turns players into losers

Malware steals your password, then raises with 7-2 offsuit

Matt Chapman, vnunet.com 17 May 2006

An online tool billed as able to calculate the amount of money taken by poker sites is actually malware designed to steal online poker players' login details.

The rakeback calculator RBCalc.exe, which was distributed on gaming site Checkraised.com, creates a backdoor into users' computers to covertly store gamblers' information.

The program silently drops four executable files into the player's system and uses a rootkit driver to conceal the operation.

The tool's author could then steal log-in information for various online poker websites including Partypoker.com, Empirepoker, Eurobetpoker and Pokernow.
Having gained access, the hacker could then empty the compromised account by playing poker against themselves and losing on purpose.

The backdoor was uncovered by F-Secure's Blacklight rootkit detection technology.

Shortly after the discovery, Checkraised.com removed the offending file from its website and issued an official statement advising users to change their poker site passwords as well as offering instructions for manually removing the malware.

"Following the exponential rise of interest in online poker, it is inevitable that malware authors would follow suit with programs to separate players from their money," said Kimmo Kasslin, a researcher at F-Secure's data security laboratory.

"What is significant is the fact that this particular scam was hosted, albeit unwittingly, on a legitimate site and used rootkit technology to cloak itself."

F-Secure warned players that standard security software from the bigger vendors would not have protected against this rootkit exploit.

See also: