Tuesday, May 16, 2006

Trojan-Laden Files Mean the End of RBCalc Rakeback Calculator

As mentioned before, some topics seem to run in streaks. For the past few days a number of online and security issues have jumped to the fore, with the latest being the discovery by online security firm F-Secure on May 10th that one of the most popular rake-calculator programs on the web, RBCalc, was actually a "rootkit" program housing four executable trojan files that collected logon and password information for many of the biggest poker sites on the Web.

The KAP Blog first became aware of this issue yesterday when Wil Wheaton posted about it in a column over at Card Squad, containing most of the pertinent information and links to releases from both F-Secure and checkraised.com, the site that initially released the application. One of the four trojan files was a spying application designed to monitor the activities of the following poker-client files:

  • PartyGaming.exe
  • mppoker.exe
  • poker.exe
  • gameclient.exe
  • ultimatebet.exe
  • absolutepoker.exe
  • mainclient.exe
  • pokerstars.exe
  • pokerstarsupdate.exe
  • partypoker.exe
  • fulltiltpoker.exe
  • pokernow.exe
  • multipoker.exe
  • empirepoker.exe
  • eurobetpoker.exe


The trojan component that served as a keylogger and captured i.d. and password information was designed to work with the following sites:

  • CEPoker
  • partypoker
  • pokernow
  • MultiPoker
  • Empirepoker


Two more elements deserve repeat mention. The first is that checkraised.com, the site issuing the offending program (RBCalc), has stopped all work associated with the application, effective immediately. They have replaced most or all off their RBCalc pages with an explanation of how the trojan implantation likely occurred --- they blame an unnamed contract programmer who they hired specifically for this job. (Please visit this page if you have ever used RBCalc, for specific trojan-removal instructions.) Obviously, any trackback concerning this unknown programmer is something that merits further tracking, to see what other industry-links and untoward applications exist, though checkraised.com stresses that its other applications --- Rake Tracker, Your Poker Cash, and Check Raised --- remain secure and unaffected.

The second element is rather more worrisome: the claim by F-Secure that the type of "toolkit" trojan methodology used in this malicious code remains undetectable by major anti-virus players Symantec, McAfee and others, due to the specific nature of the attack used. However, the trojan was also programmed to shut down if certain third-party applications such as Zone Alarm were operating. We'll have to wait and see how much of this is an upsell by F-Secure (and their exclusive "rootkit detection technology, Blacklight"), and how much is a real hole in the process that these other major security-software vendors offer. F-Secure has a demo version that I may just give a trial run...

If there's a moral to any of this, it's that the more "off the beaten path" and specialized the software, the more likely it is that it's doing something more or different than you think. Step carefully out there.

Thanks also go to Lou Krieger for sending along additional information on this story.

No comments: