Poker Trojan??

[sthief09]

last time I was in Vegas there was a high limit pro playing in my game for whatever reason. he said he'd been playing online poker for a while and was just losing losing losing. he said his friend checked out his computer and his cards were being send to somewhere or something. I don't think the guy was lying about any of this, because he handled himself and played like a good player, but I figured he wasn't used to the tougher, more aggressive games online and hit a rough run, and was just looking for excuses to explain why he wasn't winning.

so I wonder if he actually did have such a virus. but then again, if there was one, wouldn't we be the biggest targets? why haven't we heard any reports around here of such a thing?

[jman220]

[ QUOTE ]
if there was one, wouldn't we be the biggest targets?

[/ QUOTE ]

I think getting a virus like this would require some act of stupidity/ignorance. (Like downloading a third party "cheat" program)

[droolie]

If you think about it, it shouldn't matter what site you play on. If they can take a screenshot of your computer, they'll know your username and the site you play on. They could simply create an account at that site, get on the table you are at and take screenshots whenever they're in a hand with you. Pretty simple and it has nothing to do with security on any given poker site.

Stupid question I know but........

If you hid yourself from the search feature on say PP (without knowing whether or not you've got an infected computer) would the trepassing party then not be able to locate you on the poker site or is the offender getting that information anyway as soon as you are logged on and playing?

[Fishwhenican]

OK, Here is the latest update.
According to the guy who found this trojan (Computer Security Expert) it is something that could have been stopped by any up to date Anti-Virus application and/or any firewall. The PC that this was on had neither of those.

Not having Anti-Virus protection, at the least, and/or a firewall in place is just crazy in my humble opinion. But then again I am a computer geek. I do this for a living and really understand this stuff. There are way too many people out there who have PCs and broadband access that is on 24/7 who have no idea what it means to keep their computer at least a little bit secure.

You can bet that if this was happening to one person it is happening to way many more. I am sure that whoever wrote this trojan and is using it is not going to be satisfied with only picking on this one person.

Moral of the story is, make sure you have your PC patched, have antivirus software running and up to date and make sure you have some kind of firewall in place as well.

[TomCollins]

[ QUOTE ]
Stupid question I know but........

If you hid yourself from the search feature on say PP (without knowing whether or not you've got an infected computer) would the trepassing party then not be able to locate you on the poker site or is the offender getting that information anyway as soon as you are logged on and playing?

[/ QUOTE ]

Yeah, they wouldn't be able to see your table number on your screen or anything.

[ QUOTE ]
You can bet that if this was happening to one person it is happening to way many more. I am sure that whoever wrote this trojan and is using it is not going to be satisfied with only picking on this one person.

[/ QUOTE ]
If the "security expert" really cared he'd be looking at logs to find the perps. All it would seem to take is to reinstall the "trojan" and some logging software, then grab the incoming IPs.

So I still call shenanigans.

[Jeremy517]

Here is my semi-expert opinion. Background: Former software engineer for a security company, former software engineer for a backup/restore company.

The basic idea behind it is plausible, but the author (based mostly on his email to someone in a prior post) seems to be embellishing what he knows and what this does.

Any trojan that can take screenshots could theoretically be used to see people's cards. This includes Back Orifice, Netbus, SubSeven, Rbot, PopSpy, etc. There doesn't need to be anything poker-specific about it. The trojan doesn't need to know what poker is or whether a person plays poker or not. All that has to be done is to take a screenshot. The nefarious player will just tell the trojan to take a screenshot when involved in a hand with the victim. The aforementioned trojans can all do this out of the box.

I doubt there is a "custom" version of these developed specifically for poker. You don't need it, and unless the source code for the trojan is available (it isn't), only the virus writer could create this so-called custom virus. The trojans already allow the attacker to browse files and directories, so finding out which poker software someone has installed is easy once the victim is infected.

Spots where the author seems to be talking out of his... ahem... back orifice:

- Port 80 is not an IRC port, it is an WWW port. No IRC server is going to run on port 80.

- Disassemblers produce pretty unreadable code. Reading disassembly to see what it does seems highly unlikely. Stepping through a debugger would be far more likely.

- A virus that did this wouldn't be very processor intensive. There would be no reason for it to slow the computer down. The only thing that might slow down is his internet connection if he uses dialup rather than broadband. But that still wouldn't slow the actual computer down. Even if it did slow the computer down, it would only slow down while it was taking the screenshot. There would be absolutely no reason for the computer to remain slow for the rest of the hand.

- The paragraph "In the poker channel the users pay an e-cash service to get 'chips'. Winners increase their holdings and it debits the losing player's account (i.e. transfering money to the winner's holdings)." makes absolutely no sense, unless he's talking about IRC poker, which he hadn't been.

Sounds like some kind of legend, told once too often.

[ QUOTE ]
Here is my semi-expert opinion.

[/ QUOTE ]

Good post. I would also like to add the following. Anyone doing anything online is responsible for securing their own equipment, especially if it involves money.

IMHO, anyone playing online without a tightly locked down machine is playing with fire. You can't trust your ISP as they offer best effort service, nothing more and nothing less.

As a bare minimum, IMHO any online player should be using all of the following, either as a package or in separate apps:
- firewall
- anti-virus
- anti-spyware

In addition, you need to take appropriate steps to make sure your operating system and applications are as secure as possible. For example, if you are using a Windows-based machine, then you should download the Microsoft Baseline Security Analyzer. Just go to their website and search for MBSA (or use this link: http://www.microsoft.com/downloads/detai...isplayLang=en). Connect the dots to install the analyzer and it will tell you what you need to do.

The next thing is to verify that your machine is locked down. There is a free analyzer available at Gibson Research. Just do a web search for "Shields Up" and follow the links (or use this one: https://www.grc.com/x/ne.dll?bh0bkyd2). Then connect the dots to run a free port scan. If you get some red, then you have things to fix.

If you're more technically inclined or have the willingness to learn a little about how the internet works, then you can also install a packet sniffer (Ethereal offers a free one: http://www.ethereal.com/). With this you can literally monitor all of your incoming and outgoing traffic and search for anything unusual, like traffic going out to an unusual or unexpected location. (This gets into pretty sophisticated stuff and not for the technically faint of heart.)

As with anything, be sure to run a full back-up before installing any new software.

Nothing is foolproof. But if you aren't taking all the steps possible to secure your machine, then you may be at risk without knowing. Ignorance may be bliss, as they say. But when it comes to money, ignorance is foolishness.