Hi,

I tried to resolve this with Betfred support via the live chat thingy, and they didn't seem bothered and insinuated it was a false positive with my anti-virus software, without taking any details from me about the circumstances and additional steps I've taken to verify that something suspicious is going on and that it's not just an over-zealous anti-virus alert.

There's quite a lot of backstory about a previous PC crash I had, the subsequent rebuild, and a suspicion I had as a result of all this trouble.

To cut a long story short I'd just wiped my Windows 10 PC back to down ground zero as a just in case measure, and what I'd found on Betfred was a result of reinstalling various apps I've used but with a more paranoid approach of scanning each installer thoroughly with heuristics.

As an added measure I also installed a program called hash tool, this allows me to create a SHA-256 hash of any file and create a unique fingerprint.

So after installing the latest version of Malwarebytes, Hash Tool, my usual office apps, etc. everything is going well. I'm scanning each installer before I click them checking signatures, rebooting and testing each app and everything is going well.

Then I decide it's time to install Betfred again, I go to the official Betfred website, click poker, and note the various promotions for new players. Specifically a "£10 for new players!" i-frame which links to the SetupPoker.exe file.

I click it and download the exe.

Before I check it, I close the Chrome Window. Being lazy rather than opening my downloads folder I just open the website again and this time I download the poker client from the Quick Links, Download link

So now in my downloads folder I should have 2 copies of the same file one named SetupPoker.exe and one named SetupPoker(1).exe where chrome has renamed the file because its got the same name.

Here is where it gets spooky, and where by a stroke of luck I notice some weird stuff.

I scanned both, one came up clean, and the other infected!

The file sizes identical.

The signatures same date and time.

The SHA-256 hash? Completely different!

I try again, this time deleting the origial files and downloading them individualy to make sure it's not the renaming of the file causing a different SHA-256 hash. It's not, one is clearly dodgy!

I immediately contacted Betfred support via Live Chat and they were uninterested... and declined to take any details of my findings saying it was a false positive blah blah blah boilerplate etc.

I did some further testing and started getting mixed results, if I right click the bad link (it's a green button that says Free Download) copy the URL and paste it into the address bar, the SetupPoker.exe executeable I get is the clean one, if I click on the same green Free Download button (Javascript?) it appears to go to the same URL but the SetupPoker.exe executeable has a different SHA-256 hash and is detected by Malwarebytes as suspicious.
-----------------------------
DETAILS OF GOOD FILE

To get it:
Open https://www.betfred.com

Click on poker from the navigation bar at the top.

There is a little box about halfway down that says "£10 for new players!" if you click the green download button you will download the following file that is clean as far as I can tell.

Name: SetupPoker.exe
Size: 1,099,272 bytes
SHA-256 hash: c5105eca9cdadd75f058ea6b8a72dc27896b6352f6ecda1825 7d1feda80899c0
--------------------------
DETAILS OF BAD FILE

To get it:
Open https://www.betfred.com

Click on poker from the navigation bar at the top.

Ignore the £10 promotion box, and instead scroll down to Quick Links.
Click download.

Click the green button that says "Free Download" you will get the following file, which looks identical right down to the playtech sigs, except this one has a different SHA-256 hash, and gets detected as suspicious/malware by Malwarebytes.

Name: SetupPoker.exe
Size: 1,099,272 bytes
SHA-256 hash: b6fb33252e704539964a78207eb8b8077221df6864636d1426 95bd6b571ce9d6

-----------------------------

Any security/poker security experts that could perhaps shed some light on this?

There seems to be an element of clickjacking going on because if I right click the "Free Download" button this yields the good file. Also if I simply click the same "Free Download" link (without refreshing the page) it downloads the clean file instead, which suggests it's some sort of script redirecting me to the bad file if that makes sense?

If anyone has any questions please fire away, I'd really like for someone else to confirm this for me, as I said Betfred support have been really unhelpful.

Thanks.

Use this link to scan the download with just the URL and post the results. That should get you results from almost all of the antivirus databases.

https://www.virustotal.com/#/home/url

I did some more testing and this time clicking "£10 for new players!" served up the infected exe a couple of times.

It's really strange, like the links are being dynamically changed in the background.
Could this be some sort of crude detection avoidance? i.e some sort of script that sends the infected version if certain criteria are met or only serves up the infected file every other click? Or possibly it's just buggy and can't "inject" the bad download link on the 2nd click.

I've now hashed the files using different algo's MD5 SHA-1 etc etc.

The results are conclusive, the same links on the website are serving up 2 near identical installers (same name size and Playtech digital signatures) except when you hash them they have different hash values (therefor the contents can't be the same).


I'm going to do some screenshots of my findings and post them as soon as I can.

I'd really appreciate some help though, because I'm certainly no expert.

Yeah I've done that,

The trouble is that to post the link, you have to copy the URL path.

If you link to the URL path the version of the exe you will get will be the clean version with a SHA-256 hash of: c5105eca9cdadd75f058ea6b8a72dc27896b6352f6ecda1825 7d1feda80899c0

It's only "clicking" on the download button that "sometimes" downloads the infected version with a SHA-256 hash of:
b6fb33252e704539964a78207eb8b8077221df6864636d1426 95bd6b571ce9d6

It's like there is some javascipt/clickjack going on that downloads the infected version.

I hope that makes sense?

I noticed I can submit the file by uploading it directly to Virustotal.

I will upload both versions, and post the results shortly.

OK here's the bad version!

https://www.virustotal.com/#/file/b6...e9d6/detection

And here's what Malwarebyes was telling me was the clean version.

It looks just as bad?

https://www.virustotal.com/#/file/c5...99c0/detection

So my question is, why does Betfred website give me 2 identical files that only show up as different if you hash them? How can clicking the same link on the same website yeild 2 identical files with different sha-256 hashes?

Is it simply a case that one version has been packed slightly differently and Malwarebytes is unable to detect it?

Betfred are trying to convince me this is a false positive, but if it is why the different hashes?

Virustotal seems to agree, it even uses SHA-256 and the hashes match what I hashed with Hash Tool locally.

The only difference is Virustotal flags both files

And Malwarebytes only flags
b6fb33252e704539964a78207eb8b8077221df6864636d1426 95bd6b571ce9d6

but gives
c5105eca9cdadd75f058ea6b8a72dc27896b6352f6ecda1825 7d1feda80899c0
the all clear!

Ahh there is a difference in detection rate on Virustotal I've just noticed:

c5105eca9cdadd75f058ea6b8a72dc27896b6352f6ecda1825 7d1feda80899c0
Detected by 19 / 70
(My Malwarebytes thought this was clean)

b6fb33252e704539964a78207eb8b8077221df6864636d1426 95bd6b571ce9d6
Detected by 21 / 69

So it looks like one version sneaks under the radar a bit more than the other.

Of course these could be false positives but the fact the website is spitting out different executable files is alarming to say the least.

I thought it was best practise to provide a hash to end users (like when you download Ubuntu for example) so that you can check that files haven't been altered in transit?

It just seems sketchy.

But maybe I'm just being overly paranoid.

Only reason I can think is that it's a RAT that they use for detecting bots and other programs on your computer. Also it might be new encryption generated with every download to make it undetected by antivirus, but is getting detected because of an old encrypt.

I just started using non-admin accounts on my PC to install risky software so it doesn't take over the entire PC.


Try and contact the software designer Playtech and see what they say.

https://www.virustotal.com/#/file/b6...ce9d6/behavior

If Playtech is giving two files with different hashes the same "digital signature" that's a problem and hard to see it happening randomly. Definitely see what they say about it.

You could try getting a diff tool and comparing the two files but it's unlikely that would give you much more information than the hash did.

Copy of email sent to Betfred support.

Please note this is a copy/paste of a thread I have posted on 2+2 to confirm if I'm alone with this issue and if anyone can shed some light on why the links on your website point to 2 different versions of the Poker installer SetupPoker.exe

The thread can be found here:

https://forumserver.twoplustwo.com/4...errerid=510201


Really I wanted a couple of questions answered,

1. What is the difference between these 2 files, the SHA-256 hashs prove they have different contents.
2. Why does clicking the same url on your website produce different installers?
3. Can you explain the results of the VirusTotal scans?

https://www.virustotal.com/#/file/b6...e9d6/detection
https://www.virustotal.com/#/file/c5...99c0/detection

They never replied.

I took a gamble (it's poker software after all) and ran the installer that Malwarebytes said was clean.

I read an interesting article:

https://caanberry.com/what-is-iesnare-how-to-block-it/

A promptly altered my hosts file to block it before installing the clean poker client.

So far PC is running fine, virus scans come up clean etc.

I still don't trust them though! ~paranoid emote~

Poker software is often considered to be malware by scanners.

Have a look at the virustotal results. Some classify it as adware, some as the playtech virus (lol) and others don't like the results of the heuristics analysis and found some potentially suspicious behaviour.

In short: no worries and move on