The Trojan, called Win32/Spy.Odlanor, is typically downloaded by victims because it is disguised as installers or resources such as poker databases and poker calculators, according to the ESET WeLiveSecurity blog.
“In other cases, it was loaded onto the victim’s system through various poker-related programs … such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, and others,” the blog says.
Once installed it grabs screenshots of the PokerStars and Full Tilt Poker clients, letting the attackers see what cards the victim holds. In order to carry out the scam, the cheaters have to find and join the table at which the infected machine is playing.
To do that, the attacker checks out a screenshot to obtain the victim’s user ID for the poker site, which helps the attacker find the right table, the blog says. “We are unsure whether the perpetrator plays the games manually or in some automated way,” it says. Regardless, the cheater still has to have the better hand to win.
Creators of the Trojan have upgraded it over time by embedding generalized data-stealing functionality with a version of NirSoft WebBrowserPassView, a legitimate application that is capable of pulling passwords from browsers.
Most of the victims are in Eastern Europe, ESET says.