Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn't long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user's %SystemRoot%\system32 folder and executes them.
The purpose of the dropped executables is to collect login information for various online poker websites from the user's computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.
The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack.
The following day after we received the sample, on the 11th of May, detection for RBCalc.exe and all files it dropped were added into our database. Abuse reports were also sent to CERT and checkraised.com. On the evening of May 12th, RBCalc.exe was removed from the checkraised.com website.
If you have downloaded and executed this binary provided by checkraised.com, you should check your system immediately for possible infection. You can scan your computer for free with our new F-Secure Online Scanner Next Generation Beta, which also now has rootkit detection capabilities through the F-Secure BlackLight engine.
Checkraised.com (http://www.checkraised.com/site/apps/rbcalc/rbcalc.php) has set up a page to explain their view of the situation. The page also contains step-by-step instructions for manually removing the malware.
So a question for all you poker fanatics; when is this not a winning hand?
Answer: When your online poker login credentials have been stolen and your account drained. We have received no reports of this happening, but the possibility is definitely there.