Buzz
While Counter-Strike 1.6 is nearly 20 years old, it still commands a strong player base and server market. Exploiting this strength, hosting service providers rent game servers monthly and offer additional services like advertising client game servers to enhance game popularity.
In a recent report by Dr. Web, researchers elucidated how a developer exploits vulnerabilities in the game client, Belonard Trojan botnet, and malicious servers to advertise client game servers while simultaneously adding more victims to the botnet.
At its peak, this botnet expands significantly to occupy about 39% of the total of 5,000 Counter Strike 1.6 servers, which are essentially malicious servers attempting to infect connected players.
'Using this model, the Trojan developer has created a botnet that occupies a significant portion of CS 1.6 game servers,' Dr. Web researchers said. 'According to our analysis, out of 5,000 servers available from Steam clients, 1,951 servers are created by the Trojan Belonard, accounting for about 39% of all game servers. This network scale allows Trojan developers to advertise other servers to make money, adding them to the list of unavailable servers in infected clients.'
Trojan Belonard
To advertise client servers, developers under the pseudonym Belonard have created malicious servers that, when connected to Counter-Strike 1.6 clients, infect players through the Trojan Belonard.
To accomplish this, the Belonard botnet utilizes infected clients or exploits remote vulnerabilities in uninfected clients, allowing these clients to install the Trojan when players access malicious servers. As the Counter Strike 1.6 game client is no longer supported, all gamers are potential victims of the botnet.
'We'll delve into the infection process for a client. Players will launch the Steam client application and select a game server. Upon connection to the malicious server, it will exploit an RCE vulnerability, downloading and executing malicious libraries onto the victim's device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5)'
Below is an illustration of how Belonard operates:
Upon installation, the Trojan will create a Windows service named Windows DHCP Service and utilize the ServiceDLL value to load the Belonard Trojan stored in C:WindowsSystem32WinDHCP.dll.
Subsequently, the Trojan will replace files within the client application, not only advertising the attacker's website, where the infected game clients are downloaded, but also promoting fake game servers.
If players attempt to join these servers, they will be redirected to malicious game servers utilizing an RCE vulnerability to infect victims using the Belonard Trojan.
'When players start the game, their nickname will change to the web address where the infected game client can be downloaded, while the in-game menu will display links to the VKontakte CS 1.6 community with over 11,500 subscribers.'
Disable Botnet
After collaborating with the domain registration company REG.ru, Dr. Web researchers were able to disable the domains used by the Trojan to redirect users to fake game servers, preventing new players from being infected.
Additionally, researchers are also continuing to monitor other domains utilized by the malware's Domain Generation Algorithm (DGA).
Unfortunately, up to this point, the only way to prevent this botnet from being recreated is to patch vulnerabilities in the client machines. Since Counter-Strike 1.6 is the last game client released by Valve, it's highly likely that no further patches will be issued.
To avoid potential threats from spyware that may harm your computer, it's advisable to download and install highly-rated antivirus software such as BKAV, KIS, and AVAST right now.
Present-day gamers now have an additional tool to enhance wifi signals in their rooms: the Virgin Media Connect app. For more details, check out the article Virgin Media Releases Intelligent WiFi and Connect App here.
