Counter-Strike 1.6 Servers Used to Infect Gamer Devices With Malware

Cybercriminals are exploiting zero-day flaws in Counter Strike 1.6 to spread the Belonard Trojan. It has been reported that 39% of all Counter-Strike 1.6 online game servers are malicious and have been configured to remotely attack the gamer’s computer.

Counter Strike is a series of multiplayer first-person shooter games where a team of terrorists conducts acts of terror and counter-terrorists try to prevent it.  Counter-Strike 1.6 was first released for retail on 12 September 2003 and has maintained a healthy player base since, with a much-continued interest in the brand. As of August 2011, the franchise had sold over 25 million units.

A team of cybersecurity researchers at Dr Web has disclosed the details of the vulnerabilities. They announced that an attacker has been using malicious servers to compromise Counter-Strike gamer’s systems, without their knowledge.

Counter-Strike 1.6 contains multiple remote code execution vulnerabilities within its client software that allows attackers to execute malicious code as soon as the gamer connects to the compromised server.

There are over 5000 game servers registered on steam and there are around 20,000 Counter-Strike players online on average.

A statement on Dr Web’s website reads:

Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.

The Trojan works by infecting the player’s system and downloading malware to secure the Trojan and distribute it to the devices of other players. The statement continues:

Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

The researchers have reported their findings to the Valve Corporation who developed the Counter-Strike game. Dr Web did try to take down some of the servers but this is only a temporary and small scale solution when the attackers could easily spin up more malicious servers.

18 hours ago, in a discussion on Reddit, user VariousWinter said:

All known malicious servers (with this Trojan) were shut down. The source is Valve.ms-ru but it is also present in many disguised / legitimate looking servers which are redirects to the malicious server.