The Overblown Russian I2Ninja Poker Malware Story

8th December 2013 // Industry, News, Op-ed

What are the chances that you, as an online poker player, could have your computer infected by malware specifically designed to target your accounts at online sites? The answer is simple: Not high at all. Most times, stories about supposed malware infestations surging through the poker world turn out to be not so threatening, and are often slyly written advertising messages for the software firms behind them.

Such is the case with one of the latest supposed threats to be reported, a program called I2Ninja. I2Ninja is similar to many other forms of malware and computer virii that exist, but was reported to have a special feature called “Poker Grabber” that could target victims online-poker accounts directly.

According to the November 20th story at Trusteer.com (an IBM company, toot-toot!), I2Ninja is a product available via Russian hacking and cybercrime forums that specifically targets online players. That much of the internet’s cybercrime originates from Russia is not only true enough; it’s a great hook on which to sell the story itself. The so-called “Russian Business Network” is one of the internet’s oldest and most well-protected cybercrime groups, operating for over a decade with the protection of local and regional authorities. The RBN is believed to have been behind the massive, extortion-based DDOS attacks that plagued online gambling sites for years, but that’s a trip down a whole different part of memory lane. Malware threats change fast in the online world, and for the purposes of the Trusteer story, that’s what matters most.

Exactly how threatening is a supposed malware threat that Trusteer has identified, but which targets sites that have been out of business for two and a half years? According to Trusteer, “Trusteer’s security team has identified a new offering in a Russian cybercrime forum, a malware variant that, until now, has been working incognito – the i2Ninja malware.”

Further, the story lists the module elements for I2Poker, which the story claims is being sold openly on those underground Russian forums. The bold-face is the important stuff:

2. Module kit:

– Formgrabber (IE/FF/Chrome all versions)

– HTTP/HTTPS injections (Stable in all IE/FF/Chrome browsers)

– I2P Proxy (Access the web through I2P and it’s impossible to trace you. No other proxy server will give you such a level of security. No matter how secure proxy-server operators will position themselves to be, your IP is still logged somewhere in the process!)

– FTPgrabber (33 clients)

– PokerGrabber (The most popular clients – 88poker, Absolute Poker, Cake Poker, Full Tilt Poker, Party Poker, PokerStars, Titan Poker)

– MailGrabber (16 services)

Absolute Poker?? That abomination of a site went out of business shortly after Black Friday, which means that the latest this supposed current threat could have been created is early 2011. The naming forms of some of the other entries — Cake Poker and Titan Poker in particular — suggest that this malware’s Poker Grabber module could have been created as early as 2007 or 2008.

And that means it probably doesn’t work and isn’t a threat at all, despite Trusteer’s claims of having just identified it. That didn’t stop a handful of poker sites from re-reporting the story, including a slow-day news piece from Jocelyn Wood over at pokerfuse, called “New Financial Malware Targets Poker Players with ‘PokerGrabber’ Module“. Psssst, Joss: This one ain’t so new.

The number of poker sites that carried the story straight up was exceeded only by the number of mainstream outlets that did the same, including this one, this one and this one, among many others, all oblivious to the fact that the mere presence of Absolute in the software’s hacking capabilities belied the claim that this was a hot, new threat. That’s what they all get for not fact-checking, one supposes.

The Trusteer piece is nothing more than SEO candy, and should be exposed as such. For the record, given how long it’s been out there, if the Poker Grabber module of I2Ninja (or earlier incarnations of same) was such a real threat, it would have been discovered long ago.

Hacking of poker players’ computers does happen, but as a whole, thankfully, the shotgun approach of something such as this I2Ninja turns out to be a not very effective or efficient cybercrime tool. Poker players are more likely to be victimized in one of two ways, by allowing the security of their computers to be specifically compromised, such as what happened recent with online star Jens Kyllonen when his laptop was hacked at an EPT event, or by the players themselves installing software on their machines without really understanding what that software does.

A couple of examples of that latter category should demonstrate the difference between a targeted and non-targeted approach. Sometimes, so-called cheating software is itself the source of the problem, as in the case of a piece of scam software called “Poker Cheating System,” which some yahoo sold to very willing victims at $50 a pop, back around 2007. The software was supposed to allow players to see opponents’ hole-cards, kind of given them the pretend equivalency of what Russ Hamilton and Scott Tom and a few others did for real at UltimateBet and AP.

Except this program was a fake and a fraud. It put up some random card images that weren’t really what the opponents held, and in addition to sending $50 to the seller of the fraud software, it may also have transmitted the buyers’ hole cards to the guy that wrote the software, swiftly turning the would-be crook into the victim, by his own means. There was another program out there for a while called Poker Bodyguard that was every bit the same type of scam.

Then there was the story of RBCalc, a free software app available to members of CheckRaised.com, an affiliate site that went out of business in part because of what happened with RBCalc. The CheckRaised folks wanted to give a premium to their members, so they hired a former PartyPoker programmer to create a software add-on, an early rakeback calculator. That intent was good, but little did they know that the former Party coder saw this is as an opportunity to grab some passwords, and so he planted software inside RBCalc that transmitted those passwords off to somewhere in India.

The hidden software code inside RBCalc targeted about 15 different sites, a few dozen players had their accounts cleaned out, and it turned out that CheckRaised’s diligence regarding the security and testing of RBCalc included an innocent, but significant, gaffe. And so CheckRaised went away.

These examples illustrate the difference between targeted approaches and those that would use a shotgun style, such as this I2Ninja. The truth is, I2Ninja is highly unlikely to cause any sort of problems within the online-poker world before it’s noticed at large, for all the other nasty things the software is supposed to do. That means that the F-Secures and TrendMicros and MacAfees of the world will be on to it long before it spreads. And if it does manage to spread, then it will be of far more concern than to a few poker players.

Much ado about very little, and a story that’s really not much of a story at all. Features such as Trusteer’s little blurb about I2Ninja are more about peddling a little fear in the interests of promoting one’s company than they are about exposing any real threat. As threats go, this is one that players shouldn’t be concerned about.