The rise of trojan rookits continues, this time in the form of some software distributed by popular poker site checkraised.com.

When RBCalc.exe is run, it silently drops four executable files into the user’s %SystemRoot%\system32 folder and executes them.

The purpose of the dropped executables is to collect login information for various online poker websites from the user’s computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.

What’s interesting is what we find on checkrasied website about this:

In December 2005 we contracted a programmer to create a rake calculator for us… It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc. The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

Assuming that checkraised wasn’t a party to this, they staked their reputation on this software, and prominantly advertised it on their site. They had an obligation to verify what system changes are made when you install the application, and what network traffic the application generates. Relying on more than just Anti-Virus and Anti-Spyware is not ebough.

Even when the application just helps you play Texas Hold em, be careful who you trust to contract software for you. With the rise of programming-is-a-commodity sites like rentacoder and elance, the line of acountability starts to get very dotted.

How’s your poker face? [f-secure blog]

Post a Comment...