Malware Victimizing PokerStars and Full Tilt Players
Every few years, some troubling computer virus spreads throughout the world, grabbing headlines and spawning all sorts of news pieces on how to best protect our computers and private information from the bug. When we realize our systems haven’t been infected and we get out security software updated, we go back to business as usual. As the threat recedes further into the rearview, we forget the lessons we were taught and eventually have to deal with another invisible menace.
Internet security software company ESET, developer of the highly-regarded NOD32 anti-virus software, made public a discovery on its ESET Ireland blog yesterday, warning poker players of a nasty piece of malware designed to bilk players out of their money.
The malware is called Odlanor (“Ronaldo” spelled backwards) and has been targeting PokerStars and Full Tilt Poker players. It is a fairly simple Trojan that reads the hole cards on the infected player’s computer and sends them to somebody who can take advantage of this information. We’ll let ESET explain it further:
Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors. This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent. In other cases, it was loaded onto the victim’s system through various poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.
Once executed, the Odlanor malware will be used to create screenshots of the window of the two targeted poker clients – PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.
Afterwards, the screenshots can be retrieved by the cheating attacker. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.
From there, ESET does not know if the attacker actually plays poker manually or uses a bot to do everything automatically. It doesn’t really matter, though. Bot use is the least of one’s worries here.
ESET says newer versions of Odlanor could potentially be even more destructive, as they include an application called WebBrowserPassView. ESET explains that it is a “legitimate” application, but it can be used to pull passwords from web browsers.
So far, “several hundred” infected users have been detected by ESET and if that’s the extent of it, it’s fortunately not THAT bad compared to the total population of online poker players, but even one victim is too many. So far, most of the compromised computers – 71 percent – have been detected in Russia and Ukraine, with another 21 percent in Kazakhstan and Belarus. Odlanor has also been seen in the Czech Republic, Poland, and Hungary. ESET warns, though, that since this is a computer trojan, it is not limited by national boundaries. It can spread to any computer, anywhere.
Of course, when we think about cheaters being able to see opponents’ hole cards, we think back to the Absolute Poker and UltimateBet superuser scandals of 2007-2008 that rocked the online poker world. Keep in mind, though, that this is a different situation. With AP and UB, company insiders manipulated things on the server side so that they could just sit there and see everyone’s hole cards. No access to anyone else’s computers needed. In the case of Odlanor, the player’s machine is infected with the trojan, which sends information about the hole cards to the attacker so that he man then take advantage at the poker table.
In the case of AP and UB, players couldn’t do anything about it. In the case of Odlanor, preventing the cheating is easy: be responsible when downloading software. If the software is known to be completely legitimate, such as Poker Office, download it directly from the developer’s website. Don’t torrent it, don’t download from some other, sketchy site that promises “FREE P0KER WAREZ!” If you want to download software for free, download software that doesn’t cost any money. It’s as simple as that. If you want paid software for free, see if there’s a free trial, but know you will have to pay for it eventually. And, of course, if the software package is a complete unknown, stay away until you have done your research and are confident is legitimate.
ESET does not say how to clean one’s computer if it is infected with Odlanor, but running a scan with internet security software (ESET’s or otherwise) would be a start. As it is known malware at this point, internet security packages may have the ability to detect it and wipe it out.
UPDATE – a representative of PokerStars and Full Tilt reached out to Flushdraw with the following statement:
PokerStars and Full Tilt are aware that some players’ computers have been targeted by malicious software. An initial review of gameplay for those accounts where we believe this malware was present found no evidence that these players have lost funds due to unfair play. In line with our constant goal for utmost security, we recommend that players protect themselves against this sort of attack by practicing good computer security. Players should keep their operating system updated, use reliable anti-virus software, and only install software from reputable sources.