Just about 39% of all Counter-Strike 1.6 servers were being used to push malware to end users. It’s amazing that still to this day counter-strike 1.6 is still being play after 20 years. The game still has many players and there is a high demand for hosting providers to provide players to rent game servers.
Dr. Web, researchers explained that the developers are using the game clients vulnerabilities to push the Belonard Trojan botnet by deploying malicious servers to promote the game servers and enlist more victims to the botnet. At its peak, this botnet grew so large that approximately 39% of the 5,000 Counter-Strike 1.6 servers were compromised and looking to infect more connected players.
“Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers,” stated the research by Dr. Web. “According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.”
The Belonard Trojan
The Belonard botnet utilized pre-infected clients or remote command execution vulnerabilities within the clean clients, which allowed the hackers to install the Trojan simply by the player visiting the infected server.
“Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).”
Below is a demonstration of the attack flow
After the Trojan is installed it will create a Windows service named “Windows DHCP Service” and uses the Service.DLL value to load the Belonard Trojan saved at C:\Windows\System32\WinDHCP.dll.
The Trojan will then go about replacing files in the game client and it will promote the attackers site where infected game clients can be downloaded. The players that use these clients will also promote fake game servers and when the player joins the play will be redirected to a malicious server and infect you with the Trojan.
“When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.”
They have now removed all these servers and blocked the current IP \ domains were these things were being generated but they can still be recreated and the only way to prevent this botnet from being created again is to patch the vulnerabilities in the Counter-Strike 1.6 software client which Valve will most likely not be fixing.