|Online poker players are
being targeted by a computer virus that spies on their virtual cards.
The software shares the cards with the
virus's creators who then join the same game and try to fleece the victim. The
sneaky malware has been found lurking in software designed to help poker fans
play better, said the security firm that found it, ESET. The software also
targets other useful information on a victim's computer such as login names and
The malware targets players of the Pokerstars and Full Tilt
Poker sites, said Robert Lipovsky, a security researcher at Eset. The malware,
Win32/Spy.Odlanor, which is used by its malware operator to cheat in
online poker by peeking at the cards of infected opponent.
infects a machine, the software monitors the PC's activity and springs to life
when a victim has logged in to either one of the two poker sites. It then
starts taking screenshots of their activity and the cards they are dealt.
Screenshots are then sent to the attacker..
The attacker seems to operate in a simple manner: After the victim
has successfully been infected with the trojan, the perpetrator will attempt to
join the table where the victim is playing, thereby having an unfair advantage
by being able to see the cards in their hand.
Like a typical computer
trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when
downloading some other, useful application from sources different than the
official websites of the software authors. This malware masquerades as benign
installers for various general purpose programs, such as Daemon Tools or
mTorrent. In other cases, it was loaded onto the victims system through
various poker-related programs poker player databases, poker
calculators, and so on such as Tournament Shark, Poker Calculator Pro,
Smart Buddy, Poker Office, and others.
Once executed, the Odlanor
malware will be used to create screenshots of the window of the two targeted
poker clients PokerStars or Full Tilt Poker, if the victim is running
either of them. The screenshots are then sent to the attackers remote
Afterwards, the screenshots can be retrieved by the cheating
attacker. They reveal not only the hands of the infected opponent but also the
player ID. Both of the targeted poker sites allow searching for players by
their player IDs, hence the attacker can easily connect to the tables on which
One operator, PartyPoker, has recently stopped
allowing players to choose a table to play at, thus trying to limit the ability
for players to collude or use malware like this. Instead players put themselves
in a queue for a seat and then are placed at the next available spot.