New malware program Spy.Odlanor

New malware program Spy.Odlanor
4.8 (96%) 80 votes

Recently, analysts have discovered another malicious program – Win32 / Spy.Odlanor, which also focused on poker players. This time it comes to customer Web sites poker PokerStars and Full Tilt Poker.

To attack the situation is quite simple: after the victim successfully infected Trojan cybercriminals have access to information about its gaming cards, so it will have a distinct advantage in the game. Below we describe in more detail how this scheme works.

As with other Trojans, a user can get this malicious program trying to load a particular useful for a software from unreliable sources. Attackers disguise Win32 / Spy.Odlanor legitimate software installers for general purpose, for example, Daemon Tools or Torrent. Odlanor can be masked and under special poker programs such as Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office.

After his execution, Win32 / Spy.Odlanor will try to take a screenshot of the screen in the event that the user runs the PokerStars client and Full Tilt Poker. Screenshots are then sent to a remote server the attacker.

These screenshots taken by hackers, in the future, may be obtained from attacks by compromising their data. These also include the identity of the player. Both of the above-mentioned site for poker players contains a search function on their IDs, so an attacker can simply enough to connect him to the necessary gaming tables.

We cannot say for sure whether the attacker plays the game manually or used for this purpose any other automated way.

In newer versions of malicious programs, the possibility of data, theft of user passwords has been added to the body of the Trojan Oldanor by integrating into it the one of the versions of the tool NirSoft WebBrowserPassView. This tool is undesirable software and antivirus products detected as Win32 / PSWTool.WebBrowserPassView.B. He specializes in extracting passwords from a web browser.

Trojan Win32 / Spy. Odlanor interacts with its C & C-server via a simple HTTP-protocol. The address is hard-coded in the body of the malicious program. Part of the data identifying the victim, such as the version of the malware and computer information are sent as a URL parameter. The remainder of the collected information, including the archive with screenshots or stolen passwords are sent in the body of the request POST HTTP-protocol.

Below are two screenshots of malware code in IDA Pro, which is responsible for the search application windows with titles of games PokerStars and Full Tilt Poker.


Below are some samples SHA1 IDs malware:

  • 18d9c30294ae989eb8933aeaa160570bd7309afc
  • 510acecee856abc3e1804f63743ce4a9de4f632e
  • dfa64f053bbf549908b32f1f0e3cf693678c5f5a