Return to site
Return to site

Poker Malware

broken image


This is the ultimate list of the best poker software for 2020 (free tools included). These are the absolute best poker software tools that poker pros are using to crush the games in 2020. BlackRain79 - Micro Stakes Poker Strategy The Blog of BlackRain79, #1 Winnings of All-Time at the Micros. Online Poker Sites: Deeper Reviews on Where to Play Poker. You've just seen our online poker rankings for the above sites. Let's now dig deeper into our top four and what makes them really stand out. GGPoker is one of the new poker sites to hit the scene, having been established in 2017.

Every now and again, ESET comes across an attack that 'stands out'. Odlanor malware fits that bill – this unique trojan targets players of online poker.

Poker Malware

Whenever ESET malware researchers discover a new interesting attack, a new piece of malware, or an old threat evolving in an interesting way, we share the news on this blog. Every once in a while, though, we stumble upon something that stands out, something that doesn't fall into the 'common' malware categories that we encounter every day – such as ransomware, banking trojans, or targeted attacks (APTs) – just to name a few of those that are currently causing the most problems. Today, we're bringing you one of those uncommon threats – a trojan devised to target players of online poker.

The last time I wrote about poker-related malware, it was about PokerAgent, a trojan propagating through Facebook that was used to steal Facebook users' logon credentials, credit card information and the level of Zynga poker credit.

Today, we're bringing you news about Win32/Spy.Odlanor, which is used by its malware operator to cheat in online poker by peeking at the cards of infected opponents. It specifically targets two of the largest online poker sites: PokerStars and Full Tilt Poker.

The attacker seems to operate in a simple manner: After the victim has successfully been infected with the trojan, the perpetrator will attempt to join the table where the victim is playing, thereby having an unfair advantage by being able to see the cards in their hand.

Let's explain each of those steps in a bit more detail, as uncovered through our analysis.

Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors. This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent. In other cases, it was loaded onto the victim's system through various poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.

Once executed, the Odlanor malware will be used to create screenshots of the window of the two targeted poker clients – PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker's remote computer.

Afterwards, the screenshots can be retrieved by the cheating attacker. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they're playing.

Malware

We are unsure whether the perpetrator plays the games manually or in some automated way.

In newer versions of the malware, general-purpose data-stealing functionality was added by running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. This tool, detected by ESET as Win32/PSWTool.WebBrowserPassView.B, is a legitimate, albeit potentially unsafe application, capable of extracting passwords from various web browsers.

The trojan communicates with its C&C, the address of which is hardcoded in the binary, via HTTP. Part of the exfiltrated information, such as the malware version and information identifying the computer, are sent in the URL parameters. The rest of the collected information, including an archive with any screenshots or stolen passwords, is sent in the POST request data.

The screenshots from IDA Pro below show the parts of the malware code that search for PokerStars and Full Tilt Poker windows:

We have observed several versions of the malware in the wild, the earliest ones from March 2015. According to ESET LiveGrid® telemetry, the largest number of detections comes from Eastern European countries. Nevertheless, the trojan poses a potential threat to any player of online poker. Several of the victims were located in the Czech Republic, Poland and Hungary. As of September 16th, there have been several hundred users infected with Win32/Spy.Odlanor:

18d9c30294ae989eb8933aeaa160570bd7309afc
510acecee856abc3e1804f63743ce4a9de4f632e
dfa64f053bbf549908b32f1f0e3cf693678c5f5a

Poker Game Malware

Special thanks to Miro Babiš for the analysis.

Discussion

High-stakes poker player Masaaki Kagawa reportedly has been arrested by police in Japan for allegedly, according to Symantec, 'distributing spam that included emails with links to download ‘Android.Enesoluty' — malware used to collect contact details stored on the owner's device.'

Kagawa was one of eight individuals to be busted.

The operation reportedly ran from around September 2012 to April 2013, stopping only after law enforcement raided the office of the company — Tokyo IT firm Koei Planning.

Poker Malware

Poker Malware Software

Poker malware software

Whenever ESET malware researchers discover a new interesting attack, a new piece of malware, or an old threat evolving in an interesting way, we share the news on this blog. Every once in a while, though, we stumble upon something that stands out, something that doesn't fall into the 'common' malware categories that we encounter every day – such as ransomware, banking trojans, or targeted attacks (APTs) – just to name a few of those that are currently causing the most problems. Today, we're bringing you one of those uncommon threats – a trojan devised to target players of online poker.

The last time I wrote about poker-related malware, it was about PokerAgent, a trojan propagating through Facebook that was used to steal Facebook users' logon credentials, credit card information and the level of Zynga poker credit.

Today, we're bringing you news about Win32/Spy.Odlanor, which is used by its malware operator to cheat in online poker by peeking at the cards of infected opponents. It specifically targets two of the largest online poker sites: PokerStars and Full Tilt Poker.

The attacker seems to operate in a simple manner: After the victim has successfully been infected with the trojan, the perpetrator will attempt to join the table where the victim is playing, thereby having an unfair advantage by being able to see the cards in their hand.

Let's explain each of those steps in a bit more detail, as uncovered through our analysis.

Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors. This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent. In other cases, it was loaded onto the victim's system through various poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.

Once executed, the Odlanor malware will be used to create screenshots of the window of the two targeted poker clients – PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker's remote computer.

Afterwards, the screenshots can be retrieved by the cheating attacker. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they're playing.

We are unsure whether the perpetrator plays the games manually or in some automated way.

In newer versions of the malware, general-purpose data-stealing functionality was added by running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. This tool, detected by ESET as Win32/PSWTool.WebBrowserPassView.B, is a legitimate, albeit potentially unsafe application, capable of extracting passwords from various web browsers.

The trojan communicates with its C&C, the address of which is hardcoded in the binary, via HTTP. Part of the exfiltrated information, such as the malware version and information identifying the computer, are sent in the URL parameters. The rest of the collected information, including an archive with any screenshots or stolen passwords, is sent in the POST request data.

The screenshots from IDA Pro below show the parts of the malware code that search for PokerStars and Full Tilt Poker windows:

We have observed several versions of the malware in the wild, the earliest ones from March 2015. According to ESET LiveGrid® telemetry, the largest number of detections comes from Eastern European countries. Nevertheless, the trojan poses a potential threat to any player of online poker. Several of the victims were located in the Czech Republic, Poland and Hungary. As of September 16th, there have been several hundred users infected with Win32/Spy.Odlanor:

18d9c30294ae989eb8933aeaa160570bd7309afc
510acecee856abc3e1804f63743ce4a9de4f632e
dfa64f053bbf549908b32f1f0e3cf693678c5f5a

Poker Game Malware

Special thanks to Miro Babiš for the analysis.

Discussion

High-stakes poker player Masaaki Kagawa reportedly has been arrested by police in Japan for allegedly, according to Symantec, 'distributing spam that included emails with links to download ‘Android.Enesoluty' — malware used to collect contact details stored on the owner's device.'

Kagawa was one of eight individuals to be busted.

The operation reportedly ran from around September 2012 to April 2013, stopping only after law enforcement raided the office of the company — Tokyo IT firm Koei Planning.

Poker Malware Software

According to Symantec, around 150 domains were registered to host the malicious apps and 'according to media reports, the group was able to collect approximately 37 million email addresses from around 810,000 Android devices. The company earned over 390 million yen (about $3.9 million) by running a fake online dating service called Sakura in the last five months of the spam operation. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.'

Poker Malware Games

Over the past handful of years, Kagawa has accumulated nearly $1.5 million in lifetime poker tournament earnings. In February of this year, he finished third in the $100,000 buy-in high roller event at the Aussie Millions. He cashed for about $330,000.

Kagawa is from Tokyo.

Pokerstars Malware

Related Articles




broken image
Previous
Next
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save