#1250720: 39% of All Counter-Strike 1.6 Servers Used to Infect Players
When playing a video game, most people do not worry about getting infected by the their game client. New research, though, shows that's exactly what is happening when 39% of all existing Counter-Strike 1.6 game servers were trying to infect players through vulnerabilities in the game client.
While Counter-Strike 1.6 is almost 20 years old, there is a still a strong player base and market for game servers to play on. With this demand, hosting providers rent game servers on a monthly basis and offer other services such as a the promotion of a customer's game server in order to increase their popularity.
In a new report by Dr. Web, researchers explain how a developer is utilizing game client vulnerabilities, the Belonard Trojan botnet, and malicious servers to promote the game servers of his customers and enlist more victims to the botnet. At its peak, this botnet grew so large that approximately 39% of the 5,000 Counter-Strike 1.6 servers were malicious in nature and attempting to infect connected players.
"Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers," stated the research by Dr. Web. "According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients."
The Belonard Trojan
In order to promote his customer's servers, a developer with an alias of Belonard created malicious servers that when connected to by a Counter-Strike 1.6 client, would infect the player with the Belonard Trojan.
To do this, the Belonard botnet utilized pre-infected clients or remote command execution vulnerabilities in clean clients, which allowed them to install the Trojan simply by a player visiting a malicious server. As the Counter-Strike 1.6 game client is no longer supported, all players of this game are potential victims of this botnet.
"Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5)."
|Date added||March 14, 2019, 12:43 p.m.|