Thursday, May 18, 2006
A Followup Q & A on the RBCalc Trojan
Lingering issues on the "rootkit" trojan discovered to be lurking within checkraised.com's popular add-on application, RBCalc, prompted us to do a little more digging into the matter. There were several questions left unanswered in the information offered by both checkraised.com and the Finnish Internet-security firm that discovered the virus, F-Secure. While it will likely be some some time --- if ever --- before all the questions are answered, we've assembled a quick Q & A for some of the most obvious thoughts on poker players' minds.
1) Who is this F-Secure? Are they some sort of fly-by-night operation trying to make a quick buck?
--- We all remember that not long ago, Pokerroom.com was the attempted victim of an electronic shakedown by Securident. However, F-Secure and Securident are, in more ways than one, worlds apart... and the answer to the question above is an emphatic "No." Helsinki, Finland-based F-Secure, recently voted one of "Europe's 50 Hottest Tech Firms," is a growing and very legitimate player in online security. They have offices in several industrialized countries (including the U.S.), and their corporate-customer base already includes these stalwarts: IBM, Cisco, Honda, Siemens AG, Cap Gemini, Barclays Bank, Tesco, Deutsche Telekom, Ernst & Young, and Sonera. Truly, F-Secure is not three guys in a boilerroom zapping out the code version of a 1-800-Call-Mee porn site.
2) Is F-Secure trying to make a buck off their discovery?
--- Oh, definitely, but we'll come back to this one in a bit.
3) Checkraised.com's site says this: "The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software." Is this true?
--- Yes and no. It was true in the narrowest sense at the time it was written, but things have already changed. We contacted Phil Weiler of Symantec's media-relations team about the checkraised.com allegation, and Mr. Weiler immediately referred us to the relevant Symantec/Norton Antivirus press release on the matter, which you can access here. The virus, which Symantec has dubbed "trojan.checkraised," is a slightly modified version of an earlier backdoor "rootkit" trojan tagged as "trojan.dropper," named for the trojan's methods of dropping the malware executables into place through the "rootkit" driver. If you are running Norton Antivirus with active updates, the specific fix for this virus was created late on May 16th. Any update on May 17th or later protects you against the trojan.checkraised bug.
The difference seems to be in the way F-Secure and Symantec (Norton) detect these trojans; in this instance, F-Secure's "exclusive BlackLight technology" seems to be picking up on a defining feature of the "rootkit" family that allowed this virus to be detected; Symantec, on the other hand, had previously protected against the trojan's early versions, as shown in this March, 2005 update.
Looked at another way, the F-Secure find was proactive, the Symantec followup reactive, but Symantec reacts so quickly that damage is likely only if you're one of the unfortunate first few to be infected, at least once the bug has been discovered. For trojan.checkraised, Symantec released their own fix within a day of their learning of the bug. Remember that this is essentially how Norton Antivirus works: it is at its a core a massive library of known computer viruses, along with the methods for removing them. It is not a method of uncovering unknown viruses.
As for F-Secure, the fact that they do seem to be able to detect this family of related "rootkit" attacks, based on some unspecified generality they seem to share, is exactly the upselling point the firm makes it out to be. It's a good selling point. On the flip side, unless you're one of those unfortunate early few, it doesn't matter whether F-Secure or Symantec uncovered the thing; you'll be protected from it at about the same time. Excepting the hacker who wrote it, no one knew about the trojan before May 16th, when F-Secure uncovered it, and by the following day the checkraised.com text about it being undetectable by Norton Antivirus was no longer true.
While the full impact of the virus has yet to be determined, the trojan.checkraised attack does not seem to be widespread. From the initial report on the bug from Symantec:
It is not considered a widespread nor serious threat, though this is of small comfort if you were in that first handful of players to try RBCalc.
4) Will I be protected against similar attacks in the future?
--- A much dicier question. Since Norton Antivirus accumulates responses to known bugs, any new variant would remain undetected until uncovered by another of that market's players. This is not a comforting thought, given that this avenue of vulnerability has now been exposed to all those Russian hackerz drooling at the thought of accessing the tens of billions wagered over the Internet in the form of online gaming.
5) Will we ever learn the identity of the "contract programmer" responsible for implanting the bug into checkraised.com's application?
--- Iffy. Checkraised.com is not exactly PartyGaming, Symantec or F-Secure, and while their quick killing of the infected product is well and good, it doesn't do much to foster trust in future checkraised.com offerings. Checkraised.com may be planning legal action against the mysterious person or persons who did this contract programming on their behalf, though if any user actually did lose funds through the illicit operation of the virus, they'd be hard-presssed to go after checkraised.com. I didn't run the stuff, so this is only conjecture, yet software of the RBCalc sort invariably comes with the "As Is" type of non-liability disclaimer that basically says, "Here 'Tis; You're on Your Own." Still, checkraised.com has everything to gain by going public with as much information as possible in this matter, as much as to restore their own reputation as anything else... and they everything to lose if they play it too close to the vest. If checkraised.com does offer more information, we will report it.
A half-witty aside to wrap up this post? How about this: With the naming of this new trojan variant, at least checkraised.com has achieved a different sort of immortality.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment