Paddy Powers client installer is/contains malware, don't download it !

    • kavboj84
      kavboj84
      Gold
      Joined: 16.06.2011 Posts: 2,003
      Hi,

      I wanted to install Paddy yesterday, went to the official website and downloaded the client, and I got an alert from my antivirus, so I uploaded it to virustotal, then it became really suspicous. (You can find the result here.)

      So I sent the file to Avira's labs for a thourogh analysis and I just checked my e-mails: they confirmed that it is a trojan horse.

      Here is the entire mail:

      Dear Sir or Madam,

      Thank you for your email to Avira's virus lab.
      Tracking number: INC01790956.

      We received the following archive files:

      File ID Filename Size (Byte) Result
      28360639 quarantine.zip 834.18 KB OK
      A listing of files contained inside archives alongside their results can be found below:

      File ID Filename Size (Byte) Result
      28360640 51d9304f.vir 889.34 KB MALWARE

      Please find a detailed report concerning each individual sample below:

      Filename Result
      51d9304f.vir MALWARE

      The file '51d9304f.vir' has been determined to be 'MALWARE'. Our analysts named the threat TR/Agent.1842176.9. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection is added to our virus definition file (VDF) starting with version 7.11.194.194.

      Alternatively you can see the analysis result here:
      https://analysis.avira.com/en/status?uniqueid=fNwZnIRdPf5GEUhLK5wFQmYpqAMCKqXw&incidentid=1790956

      An overview of all your submissions can be found here:
      https://analysis.avira.com/en/overview?uniqueid=fNwZnIRdPf5GEUhLK5wFQmYpqAMCKqXw


      Please note: If you have specific questions, please visit our website http://www.avira.com/en/support for further details.

      Kind regards
      Avira Virus Lab


      ---------------------------------------------
      Avira Operations GmbH & Co. KG
      Kaplaneiweg 1, 88069 Tettnang, Germany
      Phone: +49 (0) 7542-500 0
      Fax: +49 (0) 7542-500 3000
      Internet: http://www.avira.com

      CEO: Travis Witteveen
      Headquarter: Tettnang
      Commercial register: AG Ulm HRB 630992
      ---------------------------------------------

      I also reported this to paddy, they said they'd send a response, but I haven't received anything yet. I don't recommend downloading it until the case becomes resolved.
  • 8 replies
    • kavboj84
      kavboj84
      Gold
      Joined: 16.06.2011 Posts: 2,003
      I tested the installers of other iPoker skins as well, and got some interesting results. Two of them (Winner and Netbet) seem to be trojans as well, almost surerly, I sent these to Avira's lab and they confirmed it, while others like Everest,Gala,Mansion, Ladbrokes seem to be clean. (still waiting for the results of Betfair and Coral)

      If Avira does not err, then there are two options:

      1) The installers were infected with malicious code internally, this would mean that iPoker wants to do some spying activity on the end user side.

      2) The websites were hacked and the originally clean installer (or the download link) was replaced by someone else from outside.

      Since not every room seems to be involved and I guess that the core of the iPoker clients is common, I think that the second option is more likely. I guess this is the worse case because the purpose of this is obvious (to see holecards) .

      I'm still waiting for the response of Paddy, they told me they'd reply in 48 hours, that is over now, but still nothing yet from their side.
    • metza
      metza
      Bronze
      Joined: 28.01.2012 Posts: 2,220
      Have Winner Poker installed on my pc so this is alarming. Can't believe nobody has commented on this already.

      Hopefully its just a case of something being wrongly identified by virus scanner eg. the ipoker software have given themselves access to see what programs you are using and this is being seen as a spying trojan...

      However given their inability to even make auto top up work and the client running through web browser rather than its own separate program, does not give me a lot of faith in how secure ipoker is.
    • Lazza61
      Lazza61
      Headadmin
      Headadmin
      Joined: 23.03.2011 Posts: 9,216
      I actually switched from Avira to AVG when I first started installing poker rooms ~ 5 years ago because then they had a reputation for false positives (Had 3 or 4 in a row, which were proven to be false). This of course may not be relevant now.

      Legitimate software also use trojan-like code to communicate with your operating system. Hopefully those files just contain the banner advertising code for the relevant iPoker skins as they appear to be differing sizes.

      Keep us updated

      Laz
    • kavboj84
      kavboj84
      Gold
      Joined: 16.06.2011 Posts: 2,003
      Hopefully its just a case of something being wrongly identified by virus scanner eg. the ipoker software have given themselves access to see what programs you are using and this is being seen as a spying trojan...
      But why are the other skins clean then ? They should also have such (if not the same) routines and other clients for ex. pokerstars also has bot detection and anti-cheating features and they still don't ring the alarm. Nay I installed netbet about 3 months ago, and it was/seemed to be clean that time.
    • meandi289
      meandi289
      Gold
      Joined: 22.08.2009 Posts: 208
      Interesting news, I'll follow this topic so.
    • RaucheCh1987
      RaucheCh1987
      Bronze
      Joined: 23.09.2010 Posts: 784
      Srsly... the whole topic is a joke. Only thing it's proving is that a lot of people have no clues about IT and believe every single thing there computer tells them... I bet you also click on those "OMG you are visitor # 1.000.000 - click here to get your free iPhone" ads...

      get a proper AV like Kaspersky or AVG and think twice before posting stuff like this... why on earth should there be something wrong (Trojan, Virus) in the executeable of a huge poker room, those guys make more than enough money with your rake -> no need for them to do stuff like this...
    • chipsilicon
      chipsilicon
      Basic
      Joined: 20.01.2015 Posts: 6
      You'll love this:

      On Betfair Poker ... I had the same issue.
      Installed and used it fine for a couple of days or so.
      Then had a weird network crash one evening (Table shutdown - informing me that the poker network had crashed/was experience technical issues) - I closed it down and left it.
      Next day noticed poker_table.dll was flagging as a virus/trojan. Latest edition of Bitdefender 2015, I also have malwarebytes running. No other files. Just that one file. Deleted and reinstalled everything - fresh straight from betfairs site.
      Same issue.
      File was picked up by 4 other major online virus scanners (inc Kaspersky) as well.
      Contacted customer support.

      Within the next few hours I could install it with zero problem.

      Customer Service dismissed it and closed the case. (Brushed it under the carpet.)

      No way it came from my end.

      This was 7th January
    • RaucheCh1987
      RaucheCh1987
      Bronze
      Joined: 23.09.2010 Posts: 784
      Ever thought about that your virus scanner just looks for pattern within files, that are similar to viruses? So every software that it not popular and obviously connects to a extern server might get flagged by default...