Screenshot malware targeted innocent online poker players
All in with Odlanor
Spyware is targeting users of the Full Tilt Poker and PokerStars online games – and it is said to allow cheats to get a sneaky advantage over honest players.
The malware, named Odlanor, first checks if PokerStars or Full Tilt Poker is running before taking screenshots of the infected player’s virtual poker hand and their player ID before sending screenshots to the attacker, while logging other activity.
The hacker then joins the victim’s virtual table by searching for the particular player ID before enjoying an unfair advantage in gameplay thanks to knowing the victim’s hand. The victim is, of course, left in completely in the dark with no indication that anything has gone wrong.
As of September 16, several hundred users were infected with the Odlanor malware, according to security software firm ESET.
"We have seen this trojan masquerading as a number of benign installers for various general purpose programs, such as Daemon Tools or uTorrent. In other cases, the spyware is installed through various poker-related programs," said Robert Lipovsky, senior malware researcher at ESET.
Online gaming enthusiasts should be wary of trojanised versions of poker-related programs – poker player databases, poker calculators, and so on – such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others.
ESET has detected the malware in the wild since March 2015. In newer versions of the malware, general-purpose data-stealing functionality was added by running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. This tool, is capable of extracting passwords from various web browsers.
More details of the scam can be found in a blog post by ESET here.
Malware in the occasionally high-stakes world of online poker is a rare but far from unprecedented problem. For example, two years ago there was a case where a laptop was apparently stolen from a top-flight poker pro's hotel room and mysteriously returned while he played in a card tournament. It was later found to be infected by spyware. ®