Zero-day exploits used in 1.6 Counter-Strike servers to spread malware

39% of Counter-Strike 1.6 active servers are exploited via the remote code execution vulnerabilities

A Russian developer uses Belonard trojan to infect online gamers of Counter-Strike 1.6 through malicious servers

Gamers who have been playing Counter-Strike 1.6 online frequently might be at risk of getting their computer systems infected. Cybersecurity experts have discovered that around 39% of the online gaming servers are injected with malicious code that has the purpose of hacking the players' computer systems and incorporating them into a botnet known as Belonard (this name also belongs to the malware developer).^[1]

Counter-Strike is a first-person shooter game published by Valve Corporation back in 2000. Despite its relatively old release, the game is still relatively popular, reaching around 20,000 active players at peak hours.^[2] The total active number of servers is 5,000, so the infected count reaches 1951.

Players do not need to interact with malware in any way – all they have to do is connect to the compromised server

Technology specialists from Dr. Web have announced that the infected server manipulated the zero-day vulnerability which is found in the game client. These vulnerabilities are known as RCE (Remote Code Execution) flaws, and one of them is found in an original game client when the other four are located in the pirated versions:^[3]

The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.

The mastermind behind the malicious scheme is a Russian-based malware author who goes by the name Belonard. Unsurprisingly, the name of malware and the botnet it created were named the same.

Belonard malware replaces the available online gaming servers with malicious ones and creates proxies in order to distribute the Trojan to other machines and infect even more Counter-Strike 1.6 players.^[4]

Once the arbitrary code is running on the infected machine after a successful connection to the malware-related server, no actions of the user are needed to spread the Trojan to other users. Besides that, experts have also discovered that Belonard has registered around 1,951 proxy game servers with the Steam API.^[5] This allows the malware to keep data on the infected machine and contact the remote C&C server.^[6]

Malicious domains are patched, now users are waiting for the game patch by Valve

Belonard botnet is also capable of offering an ad promotion service for a specific fee. According to Ivan Korelev, a Dr. Web computer security researcher, the malware developer uses the Trojan to modify the victims' CS 1.6 clients and start displaying advertisements while the user is in-game. Initially, the botnet was used for legal Counter-Strike 1.6 server promotion for a fee set by Belonard developer.

The developer of the game, Valve, was also informed about the dangerous vulnerabilities that allow the remote code execution. While the company said that the flaws would be fixed, it did not specify the exact date it will be done. Nevertheless, cybersecurity researchers took down all malicious domains that belonged to REG.ru, which consequently stopped the distribution of Trojan.Belonard.

According to security experts, players can easily recognize malicious servers. Rather than providing the typical server name “Counter-Strike 1.6”, Belonard displays it as “Counter-Strike 1”, “Counter-Strike 2”, or “Counter-Strike 3”.^[7]