Gambling Federation Malware

jmildstone · Feb 16, 2005

5 days ago my wife installed Pinklady Casino (GFED sister casino),following night,
I felt like playing some black jack at www.theblackjacktable.com, I just couldn't access their page,
I thought they where having down time so called it for that night, Next day same thing happened so I contacted support ,
they told me that their casino was running fine and that were not doing maintenance of any kind to their site.

They advised me to clean up my cache, cookies and temporaries files which I did and guess what....

I was having the same problem.

Next day I called them again and one of the supervisors said that the problem may be was on the ISP end, funny thing is that at my office we use the same ISP and theblackjacktable.com site works fine from work.

So I took my home computer and plugged it at work - I still had problems accessing their site .

At this point I felt like throwing my home computer off the window,so tried again with my friends laptop and then with my computer at work,
we both had access to theblackjacktable.com.

The tech guy took my Home PC to IT Department and this is what he found out

-----------------------------------------------------------------------------------------------------------------

The installation process from G-FED Casinos modifies 7 files,one of this files is

called "hosts" located in the following path

C:\windows\system32\drivers\etc\hosts

GFED casino software has altered this file and add a spyware on it.

Regularly a computer use a host file to resolve dns names when their is a software
installed on the computer.This Spyware denies access to other casino sites.

Before installing the GFED -PINKLADY casino hosts file is about 2 Kbytes, after
software installation almost doubled its size to 4.40 k bytes,

Now you may think what makes this file so big??

First of all the original file is about 19 lines, GFED insert 1175 blank lines and in the

last line they add the following line 255.255.255.255 www.theblackjacktable.com

----------------------------------------------------------------------------------------------------------------------------

Now i can play theblackjacktable.com., because the tech guy flushed my computer....

GrandMaster · Feb 16, 2005

This would be a trojan, not spyware, but very nasty indeed, and it would justify rogueing the casino involved.

jmildstone · Feb 16, 2005

i call it unloyal competition....

bagofmaggots · Feb 16, 2005

Bad bad bad

I'm an IT guy myself and for any software to modify that host file is a cause for concern. That's much more than spyware that's "hacking". If Gambling Federation indeed did that, they owe an explanation.

caruso · Feb 16, 2005

...but of course, cheating software is OK.

Too funny.

You do not have permission to view link Log in or register now.

dominique · Feb 16, 2005

Thats all we need! Casinos trying to eliminate the competition right on our computers! :eek:

BTW I love the card symbols on the message buttons, nice touch!

LatrellDG · Feb 17, 2005

Thank you for the advice, I finally found the problem I was getting in my computer around a month ago.

What really concerns me is if they do not care in hacking their customers computers, what can they do to their games???

Absolutely!! They have fixed games. I am blocking them now!!!

555YY · Feb 17, 2005

i'm a network administrator as well, if anyone can pm a copy of said malware i can ask around to see if anything can be done against this kind of despicable violation of privacy from a legal standpoint

mucullus · Feb 17, 2005

this is unbelievable, i tried it and installed pink lady casino.
indeed, after starting the casino for the first time it wrote the entry "www.royaldutchcasino" pointing to the IP 255.255.255.255 in my host file. this means you can't access this homepage anymore as every time you enter the web address you'll be redirected to the wrong IP. this is the behaviour of annoying malware, and I believe every gfed casino will behave in that way because all gfed affiliated casinos are downloaded from subdomains of gfed's main site. Boycott them!

jmildstone · Feb 17, 2005

255.255.255.255 www.casinoxo.com is another site that appears to be blocked by GFED trojan

LatrellDG · Feb 17, 2005

I want to know the position of Interactive Gaming Gambling and Betting Association (iggba.org.uk), Interactive Gaming Council (www.igcouncil.org), Gambling Comission

You do not have permission to view link Log in or register now.

about this.
They have their seals of endorsments in all Gambling Federation Sites, and this is unacceptable and go against all their fairness principles.

Below how the hosts file looks like after they modify it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

255.255.255.255 www.theblackjacktable.com

255.255.255.255 www.casinoxo.com

255.255.255.255 www.theblackjacktable.com

jetset · Feb 17, 2005

This stuff is dynamite that could introduce Gambling Federation to a world of you-know-what in several sectors, not least of which is inserting malware on players' computers and subverting other businesses.

G-Fed is also a member of the iGGBA who might be interested in hearing about this.

We're following up with G-FED to get their version of events, but this is going to be mighty hard to explain away.

I wonder how many other online casinos have been *blocked* in this manner

spearmaster · Feb 17, 2005

*cough*

g-fed's owner was also just named to the IGC's board of directors

jetset · Feb 17, 2005

Spear is correct...from Casinomeister News quoting an IGC release earlier this year:

QUOTE Two new directors have been elected to the IGC Board: Flaviano Fogli and Alfred E. (Freddie) Ballester. Fogli is general manager of Azur Media, an Internet marketing firm in Saint Laurent, Quebec. He is also the chief executive and a founder of the Gambling Federation, which provides services to online casino operators. A native of Italy, he moved to Canada, where he now lives, to complete his MBA.UNQUOTE

The Dude · Feb 17, 2005

This is not a good situation. I am in the process of contacting the right people about this.

The Dude · Feb 17, 2005

This is some pretty serious shit. Is this pinkladycasino specific, or have others been detected as well? I'm just wondering if the download file has been tampered with, was it done at the casino site, or does this go further.

Also:

jmildstone said:
Now i can play theblackjacktable.com., because the tech guy flushed my computer....

Can any one of you IT guys give a step by step process to detect and remove these files or comments. I'm sure everyone will appreciate this. Not everyone has tech guys at their disposal

The Dude · Feb 17, 2005

Well I just downloaded Pinkladycasino direct from Pinkladycasino.com with no affiliate tag involved, and guess what?

jmildstone said:
The installation process from G-FED Casinos modifies 7 files,one of this files is

called "hosts" located in the following path

C:\windows\system32\drivers\etc\hosts

GFED casino software has altered this file and add a spyware on it.

Regularly a computer use a host file to resolve dns names when their is a software
installed on the computer.This Spyware denies access to other casino sites.

Before installing the GFED -PINKLADY casino hosts file is about 2 Kbytes, after
software installation almost doubled its size to 4.40 k bytes,

Now you may think what makes this file so big??

First of all the original file is about 19 lines, GFED insert 1175 blank lines and in the

last line they add the following line 255.255.255.255 www.theblackjacktable.com

...I can confirm this. The C:\windows\system32\drivers\etc\hosts file WAS modified - and theblackjacktable.com, www.casinoxo.com, and royaldutchcasino.com were all listed. I tried to access Royal Dutch Casino -- website not found error message. I went back to this "hosts" file and removed the royal dutch comments (there were two of them) and now I can access their page.

This is a low down nasty deed. For shame Gambling Federation.

GrandMaster · Feb 17, 2005

The hosts file is at C:\windows\system32\drivers\etc\hosts on XP, you can just edit it with your favourite text editor. Make sure that you save it without any extension, notepad may save it as hosts.txt and you may have to rename it manually.

Several viruses use the hosts file trick to stop you from accessing anti-virus sites. There may be anti-virus or anti-spyware software that monitors the hosts file and alerts the user if something is trying to modify it. You can still access a site if you know its numeric IP address.

It would be worth submitting this to anti-virus companies. Being detected as a trojan would be very embarrassing for Pink Lady/G-FED.

The Dude · Feb 17, 2005

GrandMaster said:
The hosts file is at C:\windows\system32\drivers\etc\hosts on XP, you can just edit it with your favourite text editor. Make sure that you save it without any extension, notepad may save it as hosts.txt and you may have to rename it manually.

Thanks Grandmaster - I've got a handle on this.

By the way, I've just downloaded Goldenballs - same friggin' thing. This is unbelievable.

The Dude · Feb 17, 2005

Commodore Casino...same thing.

I'll be posting a warning about this by the end of the day (today is guitar day - so it may take some time).

This is total BS.

jetset · Feb 17, 2005

This is starting to look as if it is endemic to GF software and not confined to just one of their sites.

I wonder how the three blocked casinos were selected by whoever is responsible for this? Royal Dutch is DDS software, I'm not sure about theblackjacktable and casinoxo.

I think GF is based in Canada, which explains (timezone difference) why they are not responding yet.

The Dude · Feb 17, 2005

jetset said:
This is starting to look as if it is endemic to GF software and not confined to just one of their sites.

I wonder how the three blocked casinos were selected by whoever is responsible for this? Royal Dutch is DDS software, I'm not sure about theblackjacktable and casinoxo.

I think GF is based in Canada, which explains (timezone difference) why they are not responding yet.

IGC is already looking into this.

theblackjacktable belongs to

You do not have permission to view link Log in or register now.

which is some no-name brand software (I believe) coming out of Costa Rica.

casinoxo is merely a directory sitting on a porno/casino server ULTSEARCH.COM. And we know about Royal Dutch already.

Apparently these three sites pissed off someone at GF (that's my guess). Good thing I didn't piss anyone off there, they could have added Casinomeister.com to their list and anyone who would have downloaded GF software would have been blocked out of here.

The Dude · Feb 17, 2005

Maybe Royal Dutch Casino threatened to report Gambling Federation to the US Office of Homeland security? :lolup:

The Dude · Feb 17, 2005

List of Gambling Federation Casinos

Please note, this list is not exhaustive; I'm sure I missed some. If you have ever downloaded this software, please check your "host" file for modifications:

Link Removed ( Old/Invalid)
Outdated URL (Invalid)

You do not have permission to view link Log in or register now.

Link Removed ( Old/Invalid)

You do not have permission to view link Log in or register now.

Link Removed ( Old/Invalid)

You do not have permission to view link Log in or register now.

Outdated URL (Invalid)
Outdated URL (Invalid)

You do not have permission to view link Log in or register now.

Link Removed ( Old/Invalid)

You do not have permission to view link Log in or register now.

Outdated URL (Invalid)

You do not have permission to view link Log in or register now.

Outdated URL
Outdated URL (timeout)

You do not have permission to view link Log in or register now.

Link Removed ( Old/Invalid)

The Dude · Feb 17, 2005

Admin note: renamed the thread to ...Malware, since this is not "Spyware"

jetset · Feb 17, 2005

I'm through to the Montreal headquarters of GF.

They're now aware of the issue and are investigating before responding, hopefully later today....

Kitty_23 · Feb 17, 2005

Hi Brian,

We are in EST -5 Time zone, so I just got your 3 posts. We are currently looking into the situation and we'll get back to you today.

We recognize the seriousness of these allegations so please rest assure that we will respond shortly.

Thank you
Talia *

The Dude · Feb 17, 2005

Kitty_23 said:
Hi Brian,

We are in EST -5 Time zone, so I just got your 3 posts. We are currently looking into the situation and we'll get back to you today.

We recognize the seriousness of these allegations so please rest assure that we will respond shortly.

Thank you
Talia *

Hi Talia,

Thanks! But please bear in mind that these are not allegations but actual findings. You can download the software and check it yourself. In fact, I'm probably driving a lot of traffic to your sites by people just wanting to see for themselves

Kitty_23 · Feb 17, 2005

Casino Meister and fellow posters,

First off, please allow us to extend our apologies for this major issue. We owe all of you an explanation regarding this.

A few months ago, we received several spam complaints from our players being sent by the domains you found in your host file. At first we tried to calm our players down, stating that we had nothing to do with these properties and were not responsible for their actions. However, the issue repeated itself several times within a short time span, causing us a mass influx of complaints.

We decided, albeit foolishly, to resolve this issue by blocking the domains which cause our players grief through the software. We did not intend to ever block any one else, nor impair revenues for affiliates. We now realize that this was not the right way to go about this problem. We will be issuing a fix for this very shortly and we will correct this problem within 24 hours.

We sincerely apologize,
Talia
Gambling Federation PR Manager

555YY · Feb 17, 2005

i have submitted the app to our company's default antivirus and malware vendors, symantec and A2, for further review and scrutiny

555YY · Feb 17, 2005

Kitty_23 said:
Casino Meister and fellow posters,

First off, please allow us to extend our apologies for this major issue. We owe all of you an explanation regarding this.

A few months ago, we received several spam complaints from our players being sent by the domains you found in your host file. At first we tried to calm our players down, stating that we had nothing to do with these properties and were not responsible for their actions. However, the issue repeated itself several times within a short time span, causing us a mass influx of complaints.

We decided, albeit foolishly, to resolve this issue by blocking the domains which cause our players grief through the software. We did not intend to ever block any one else, nor impair revenues for affiliates. We now realize that this was not the right way to go about this problem. We will be issuing a fix for this very shortly and we will correct this problem within 24 hours.

We sincerely apologize,
Talia
Gambling Federation PR Manager

i'm confused...

were you referring to email spam? how does blocking the domain url stop affiliate sending spam through email?

Kitty_23 · Feb 17, 2005

By associating the domain to an non existent IP, the spam cannot load in the person's computer. So this protects the person from being subjected to the spam coming from those domain names.

Again, we deeply apologize.
This was not the appropriate way to addressing this cause.

Talia
Gambling Federation PR Manager

jmildstone · Feb 17, 2005

blocking spam is one thing ,invasion of privacy is another.

now you are saying that GFED acts more like

You do not have permission to view link Log in or register now.

than acting like a casino operator?

Keeping this to yourselves demonstrates that you hide stuff from players and from affiliates too

The Dude · Feb 17, 2005

Kitty_23 said:
...A few months ago, we received several spam complaints from our players being sent by the domains you found in your host file. At first we tried to calm our players down, stating that we had nothing to do with these properties and were not responsible for their actions. However, the issue repeated itself several times within a short time span, causing us a mass influx of complaints.

Why would someone complain to a GF casino about spam coming from Royal Dutch Casino (Dutch you reading this?). Mass infux of complaints? No one complained here or at WOL - two of the most favorite sites for complainers.

This doesn't add up.

And to include malware in the download to address this issue is unprecendented. I am really quite shocked.

Kitty_23 · Feb 17, 2005

Again, we apologize for this, we didn't intend to act like spam cops.
We where only trying to prevent harassement to our players after trying every other method.

Obviously this was a misguided decision on our part and we will fix this very shortly.

Talia
Gambling Federation PR Manager

bagofmaggots · Feb 17, 2005

Good to know

From now on when I get spam I'll complain to Gambling Federation like all those other customers of theirs. :lolup:

Blocking those websites does NOTHING to stop affiliate spam, or any email for that matter! It only prevents the users computer from visiting that website! They know that too.

Dutch · Feb 17, 2005

im speachless brian...

As if we have zero tolerance towards spam, if an affiliate spam, affiliate relationship will be terminated, referrals will be wiped clean from our system, and the affiliate in question will be forever banned from Royal Dutch Casino.

If a person that plays at your company have been spammed by one of our affiliates, please report it to [email protected] or contact [

You do not have permission to view link Log in or register now.

and immediate action will be taken . Please include the spam email, PASTE FULL SPAM HEADERS AND BODY OF E-MAIL

IMO i think this is proper way to address the problem. NOt by creating a malware, creative but very unetical.

555YY · Feb 17, 2005

again gf rep didn't address my question on affiliate spam, i.e spam that does not originate from the casino's domain. all your app seems to do is to block the user from accessing the site, and nothing on stopping the source where the bulk of spam are usually from, the affiliates.

bagofmaggots · Feb 17, 2005

Wrong

Kitty_23 said:
By associating the domain to an non existent IP, the spam cannot load in the person's computer. So this protects the person from being subjected to the spam coming from those domain names.

WRONG WRONG WRONG It does nothing to prevent spam in anyway what so ever

Dirk Diggler · Feb 17, 2005

How can the hell can G-fed not be rogued after all they've done?

They blatantly cheated at BJ and VP (several people had the same kind of results as Caruso at that time including myself, if any more proof was required - which clearly is not considering the statistical improbability of Caruso's results)

They've now been installing this sort of crap on customers computers without their knowledge :eek2:

AND then to round it all off they come up with some bullsh*t excuse about doing it to stop these sites from spamming their customers - which it DOESN'T EVEN DO :lolup:

Call my cynical, but if these events don't add up to roguedom then nobody should be in the section at all. The cheating alone should have been reason enough, but now this as well.

Macgyver · Feb 17, 2005

Can any one of you IT guys give a step by step process to detect and remove these files or comments. I'm sure everyone will appreciate this. Not everyone has tech guys at their disposal

I'd be interested to see a process to remove these files, as well. I downloaded some G-Fed a few months back, though I never had the problem of not being able to access any casino site I wanted.

I'd still like to doublecheck my home computer and fix the problem if it exists there.

Dutch · Feb 17, 2005

Safe Easy To Use Patch

Our team of programmers developed the following patch - IS SAFE TO USE-
this will fix the problem on your systems, use the following links:

You do not have permission to view link Log in or register now.

----- For Windows 2000

You do not have permission to view link Log in or register now.

---- For Windows XP

Please click on the link according with the Operational System of your
computer

and then open the zip file, save the files inside the ZIP, and execute the
file by double click on the file FIX_RYL2.exe

.

bagofmaggots · Feb 17, 2005

Rogue's Gallery

Dirk Diggler said:
How can the hell can G-fed not be rogued after all they've done?

They have admitted to these actions and in my opinion they are unforgivable. If that doesn't qualify as unethical bussiness practices.....I don't know what does. Royal Dutch and The Blackjack Table should be very Pi**ed-off too.
I agree they belong in the Rouge's gallery.

Kudos to you jmildstone for bringing this to the public's attention too !

Sodax77 · Feb 17, 2005

Your first mistake was:

Kitty_23 said:
Hi Brian,

(It's Bryan)

I just check this, and what Kitty_23 said, is total BS.
As far i know about these things.

However, my Host-file was clean.

I use these programs regularly:

1. Spybot S&D

Check this:
Spybot S&D > Tools > Hosts File > Add Spybot-S&D Hosts List

And be sure, that you have latest version:
Spybot S&D > Info & License> 1.4 2

2. Total Uninstall 2.34*

When i install/uninstall any program.

Description:

" Total Uninstall - track and undo system changes

Total Uninstall can help you to monitor any changes that were made to your system during installation of a new software product and allow you to perform a complete uninstall without having to rely on the supplied uninstall program (which may leave files or changes behind). To use it, you simply launch the installation program from the Total Uninstall interface and select the system areas to be monitored. The program will then create a snapshot of your system before it installs the new software and an additional snapshot after install completes. it then compares the two snapshots and displays all changes n a nice, graphical tree view, marking all values and/or files that have been added or changed as well as some before/after details. Total Uninstall will save these changes and if you decide to uninstall the application, it will reverse all changes to the previous state"

*with my own settings + i check my registry regularly. I already know, that example GF and Playtech leaves some tracking registry keys behind, sometimes even you clean program with Total Uninstall (depend settings). Also sometimes you have to remove folders manually, if you use Total Uninstall

BE CAREFUL WITH THIS PROGRAM!

Vesuvio · Feb 17, 2005

Dutch said:
Please click on the link according with the Operational System of your
computer

and then open the zip file, save the files inside the ZIP, and execute the
file by double click on the file FIX_RYL2.exe

Running an executable file provided courtesy of Royal Dutch casino :eek:

Only for the gamblers out there...

555YY · Feb 17, 2005

Macgyver said:
I'd be interested to see a process to remove these files, as well. I downloaded some G-Fed a few months back, though I never had the problem of not being able to access any casino site I wanted.

I'd still like to doublecheck my home computer and fix the problem if it exists there.

you can open up the host file using a text editor like notepad/wordpad, and just go through yourself deleting any unwanted entries

a faster and more efficient way is download a clean host file from a trusted source and use it to replace the one you currently have on your workstation.

here's one that also offers additional protection:

You do not have permission to view link Log in or register now.

also included there is a tool that allows you to lock the host file from unwanted modifications

GrandMaster · Feb 17, 2005

I also recommend that you download a little program called edexter from

You do not have permission to view link Log in or register now.

to use with the hosts file.

spearmaster · Feb 17, 2005

The spam claim is bogus. Putting the IP of the domain in the hosts file does not stop someone from getting spam. It does, however, stop you from accessing the site.

I think we have a rogue on our hands.

caruso · Feb 17, 2005

Well, I posted about Gambling Federation. People didn't listen, carried on downloading and playing and now they're having their computers screwed with. LOL. You think cheats only cheat with software?

Like I always say: why bother to post anything? People never listen, carry on playing...then post complaints. LOL.

Hopeless.

maxlevine · Feb 17, 2005

I downloaded VideoPokerClassic last summer (august... maybe september). Just checked the file and casinoxo and theblackjacktable were there. GFed could have suggested this solution to their clients instead of installing it themselves. Here's a link on how to block unwanted parasites with a hosts file (Windows XP and ME):

You do not have permission to view link Log in or register now.

Thanks to everyone here, especially jmildstone, for pointing it out, and also to GrandMaster for providing the solution.

Max

Gambling Federation Malware

Dormant account

Dormant account

Dormant account

Dormant account

Banned User - repetitive violations of 1.6 - troll

Dormant account

Dormant account

Dormant account

Experienced Member

Dormant account

Dormant account

RIP Brian

RIP Ted

RIP Brian

The artist formally known as Casinomeister

The artist formally known as Casinomeister

The artist formally known as Casinomeister

Dormant account

The artist formally known as Casinomeister

The artist formally known as Casinomeister

RIP Brian

The artist formally known as Casinomeister

The artist formally known as Casinomeister

The artist formally known as Casinomeister

The artist formally known as Casinomeister

RIP Brian

Casino Representative

The artist formally known as Casinomeister

Casino Representative

Dormant account

Dormant account

Casino Representative

Dormant account

The artist formally known as Casinomeister

Casino Representative

Dormant account

Casino Representative

Dormant account

Dormant account

Dormant account

Dormant account

Casino Representative

Dormant account

Dormant account

Dormant account

Dormant account

Dormant account

RIP Ted

Banned User - repetitive violations of 1.6 - troll

Webmaster

Similar threads

Users who are viewing this thread

Accredited Casinos