Odlanor Malware Raises Some Concern at PokerStars and Full Tilt
A new form of malware called Odlanor could become online poker's newest nightmare, as online security experts at ESET revealed that the program allows cybercriminals to see the cards of the players at PokerStars and Full Tilt.
"Every once in a while, we stumble upon something that stands out, something that doesn't fall into the 'common' malware categories that we encounter every day," IT Security and Cybercrime Analyst at ESET Ireland Urban Schrott stated on Thursday. "Today, we are bringing you one of those uncommon threats — a trojan devised to target players of online poker."
Detected for the first time on April 19, 2015, Win32/Spy.Odlanor is said to specifically target players at PokerStars and Full Tilt and to allow its operators to receive screenshots of the poker action as it happens on the infected machines.
"PokerStars and Full Tilt are aware that some players' computers have been targeted by malicious software," a PokerStars and Full Tilt representative told PokerNews on Friday. However, "an initial review of gameplay for those accounts where we believe this malware was present found no evidence that these players have lost funds due to unfair play."
"In line with our constant goal for utmost security, we recommend that players protect themselves against this sort of attack by practicing good computer security. Players should keep their operating system updated, use reliable anti-virus software, and only install software from reputable sources.”
How Does Odlanor Work?
As explained by ESET, Odlanor is a fairly simple form of malware.
"Like a typical computer trojan, users usually get infected with Win32/Spy.Odlanor unknowingly when downloading some other, useful application from sources different than the official websites of the software authors," ESET said. "This malware masquerades as benign installers for various general purpose programs, such as Daemon Tools or mTorrent."
The ESET blog mentions also poker-related programs "such as Tournament Shark, Poker Calculator Pro, Smart Buddy, and Poker Office" as some of those that could potentially install Odlanor on a player's machine.
Once installed, the malware starts to take screenshots of the poker clients and sends them to the program's operator. What makes this malware particularly dangerous for poker players, is that the screenshots allow the attackers to see both the victim's hole cards and player's ID, giving the cybercriminals the possibility to use PokerStars' and Full Tilt's search feature to find the infected players and to play against them.
According to ESET, Odlanor can perform a number of actions including:
- Download files from a remote computer and/or the Internet
- Run executable files
- Capture screenshots
- Update itself to a newer version
- Uninstall itself
- Send gathered information
Statistics at hand, ESET explained that they have observed how "the largest number of detections comes from Eastern European countries," Schrott explained. "Nevertheless, the trojan poses a potential threat to any player of online poker."
As illustrated in the pie chart below, the vast majority of the infected machines were found in Russia (36 percent) and Ukraine (35 percent), followed then by Kazakhstan (11 percent), and Belarus (10 percent). According to Schrott, however, victims of the Odlanor malware were found also in Czech Republic, Poland, and Hungary.
How to Check Your Computer for Odlanor (And Remove It)
"We have detected Odlanor for the first time on April 19," a representative from ESET told PokerNews on Friday. "Then, sometime later, we have noticed that some computers have been infected by a different variant of the same program (Win32/Spy.Odlanor.A) — so we can say that there are two versions of Odlanor out there. The good news is that we can detect and remove both of them.
"From a technical point of view, we recommend people to check their computers and understand whether they have installed Odlanor or not. We have a free online scanner that anyone can use and that not only detects the malware but also removes it."
Here's how to check your computer for Odlanor:
- Click here to open ESET's Online Scanner in a new tab
- Click on ‘Run ESET Online Scanner'
- Download the ESET Smart Installer
- Follow the instructions on the screen
"If you find your machine is infected, we recommend you to change any kind of password that you have stored on your computer," the representative from ESET continued.
Although PokerStars and Full Tilt do not store your passwords locally, the online security company said to have reasons to believe that "the malware's newest variant can do more than sending screenshots of a poker client. That's why we really invite everyone to change all their passwords as soon as they discover that their machine has been infected by Odlanor."
The whole procedure, however, is directed only to Windows users, as ESET explained that Odlanor is not a threat for Mac OS and Linux users. "Odlanor is a Windows-only form of malware. It infects only machines running on Windows, which means Mac OS and Linux users are not at risk in this case."
Odlanor is currently identified also by Avast and Avira.
Russia and Kazakhstan Again Under the Spotlight
The Odlanor case is not the first one to cast shadows over the activities of a number of players from Russia and Kazakhstan, as earlier this year PokerStars had to start a formal investigation after serious cheating allegations.
Back in June, the poker room admitted that there might have been irregularities at their mid-stakes pot-limit Omaha games, as it is believed that some players — primarily from Russia and Kazakhstan — might have used artificial intelligence to win almost $1.5 million at the $0.50/$1 and $1/$2 pot-limit Omaha tables.
Unveiled in March, when TwoPlusTwo poker forum posters "Grethe" and "Oink" shared their concerns about the action at the pot-limit Omaha tables, the issue became a serious concern for the poker room when TwoPlusTwo member "Schwein" used the "Squared Euclidean distance" method between a handful of legitimate players and those suspected of using artificial intelligence.
As you can see from the chart below, Schwein's analysis indicated that although players have usually a difference value of anywhere between 600 to 1,200, the ones suspected of using artificial intelligence were only differing by a few dozen points.
Although for the time being it is not possible to prove a connection between the issues highlighted by Grethe, Oink, and Schwein, and the use of a malware programs like Odlanor, by ESET's own admission, it can't be ruled out that the malware operators processed the information gathered through the trojan with some form of artificial intelligence, with Shrott saying that "we are unsure whether the perpetrator plays the game manually or in some automated way."