An online poker backdoor, covertly storing gamblers’ information
for potential theft has been uncovered by F-Secure rootkit
detection technology, Blacklight. Rootkits are used by malware
authors to hide malicious software.The online tool RBCalc.exe, also
known as a Rakeback calculator, has been distributed from a gaming
site Checkraised.com.
The backdoor, a method for securing illegal remote access to
a computer was created by silently dropping four executable files
into the user’s computer and using a rootkit driver to conceal the
operation. With this in place, the tool’s author could access login
information from the user's computer for various online poker
websites including Partypoker, Empirepoker, Eurobetpoker and
Pokernow. Having gained access, the hacker could then play poker
against himself, losing on purpose and reaping the rewards.
Shortly after the discovery, Checkraised.com removed the
offending exe file from its website and issued an official
statement on its website advising users to change their poker site
passwords as well as offering instructions for manually removing
the malware.
Speaking about the case, Kimmo Kasslin, a researcher at
F-Secure’s Data Security Laboratory said: Following the exponential
rise of interest in online poker, it is inevitable that malware
authors would follow suit with programs to separate players from
their money. What is significant is the fact that this particular
scam was hosted, albeit unwittingly on a legitimate site and used
rootkit technology to cloak itself. Without our unique Blacklight
technology to detect it, many online gamblers could have become
victims of this exploit.
Kasslin continued: Malware authors are increasingly wise to
standard antivirus and intrusion techniques and are constantly
looking for a new exploits. Having standard data security software
from the bigger vendors would not have protected you against this
rootkit exploit. F-Secure’s software does.
F-Secure advises those who have downloaded and executed this
binary provided by checkraised.com, to check their systems
immediately for possible infection. A free scan is available from
our new F-Secure Online Scanner Next Generation Beta, which also
now has rootkit detection capabilities through the F-Secure
BlackLight engine.
To view the full statement issued by Checkraised.com, go to:
http://www.checkraised.com/site/apps/rbcalc/rbcalc.php
For a technical description and for a screenshot of the
malicious RBCalc application:
http://www.f-secure.com/v-descs/small_la.shtml
For F-Secure Internet Security 2006 with with Blacklight
technology:
http://www.f-secure.com/estore/
To get the free scan go to:
http://support.f-secure.com/enu/home/ols3.shtml
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses
against computer viruses and other threats from the Internet and mobile
networks. We want to be the most reliable provider of security services in the
market. One way to demonstrate this is the speed of our response. According to
independent studies in 2004, 2005 and 2006 our response time to new threats is
significantly faster than our major competitors. Our award-winning solutions are
available for workstations, gateways, servers and mobile phones. They include
antivirus and desktop firewall with intrusion prevention, antispam and
antispyware solutions, as well as network control solutions for Internet Service
Providers. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges
since 1999, and has been consistently growing faster than all its publicly
listed competitors. F-Secure headquarters are in Helsinki, Finland, and we have
regional offices around the world. F-Secure protection is also available as a
service through major ISPs, such as France Telecom, TeliaSonera, PCCW and
Charter Communications. F-Secure is the global market leader in mobile phone
protection provided through mobile operators, such as T-Mobile and Swisscom and
mobile handset manufacturers such as Nokia. The latest real-time virus threat
scenario news are available at the F-Secure Data Security Lab weblog at http://www.f-secure.com/weblog/
For more information
Mikko Hypponen, Chief Research Officer
Mobile: +358 (0)40 064 8180
Fax: +358 (0)9 2520 5001
Email: firstname.lastname@f-secure.com
