RBCalc Revisited: Keeping the Trojan Horse From Your Door

by Lou on May 19, 2006

In the short period of time between last night’s discussion on my radio show, Keep Flopping Aces on www.holdemradio.com, where we discussed a story about RBCalc.exe, new developments have come to light. RBCalc.exe, a rakeback calculator, was actually malware used to steal players’ login details at Partypoker, Empirepoker, Eurobetpoker and Pokernow, we’ve found out some more information about this issue.

Trojan.Checkraise, as this has come to be known, is now neutralized by Symantic as well as by F-Secure, the Finnish firm that uncovered this with their Blacklight rootkit detection technology. Trojan.Checkraise, is a Trojan horse that steals passwords for popular online poker Web sites. It also opens a back door on the compromised computer, logs keystrokes, and sends confidential information to a remote attacker.

Here is some data from Symantic’s web site.

Trojan Horse
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Virus Definitions (LiveUpdate™ Plus)
May 16, 2006
Virus Definitions (LiveUpdate™ Daily)
May 16, 2006
Virus Definitions (LiveUpdate™ Weekly)
May 17, 2006
Virus Definitions (Intelligent Updater)
May 16, 2006

Number of infections: 0 – 49
Number of sites: 0 – 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate

It seems like this was caught and neutralized in time to prevent wholesale issues with player accounts and security at the affected sites, and in a sense, other than those hurt by this scam, we all got off lucky.

There’s also a lesson to learn here: While the big poker operators such as PartyGaming, PokerStars, Prima, UB, and the like are quite careful about their own development efforts, you can’t be sure about the due diligence exercised by the little guys providing after-market devices such as rake back calculators.

Use them at your own risk. The risk might far outweigh the reward.

Comments on this entry are closed.

Previous post:

Next post: