F-Secure Discovers Poker Trojan Threat

Security company F-Secure, is reporting the appearance of a Trojan designed to steal online poker players credentials.

In the F-Secure weblog, the company writes: "Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn't long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user's %SystemRoot%\system32 folder and executes them. "

The entry continues: "The purpose of the dropped executables is to collect login information for various online poker websites from the user's computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry."

"The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack."

"The following day after we received the sample, on the 11th of May, detection for RBCalc.exe and all files it dropped were added into our database. Abuse reports were also sent to CERT and checkraised.com. On the evening of May 12th, RBCalc.exe was removed from the checkraised.com website."