When playing a video game, most people do not worry about getting infected by the their game client. New research, though, shows that's exactly what is happening when 39% of all existing Counter-Strike 1.6 game servers were trying to infect players through vulnerabilities in the game client.

While Counter-Strike 1.6 is almost 20 years old, there is a still a strong player base and market for game servers to play on. With this demand, hosting providers rent game servers on a monthly basis and offer other services such as a the promotion of a customer's game server in order to increase their popularity.

In a new report by Dr. Web, researchers explain how a developer is utilizing game client vulnerabilities, the Belonard Trojan botnet, and malicious servers to promote the game servers of his customers and enlist more victims to the botnet. At its peak, this botnet grew so large that approximately 39% of the 5,000 Counter-Strike 1.6 servers were malicious in nature and attempting to infect connected players.

"Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers," stated the research by Dr. Web. "According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients."

The Belonard Trojan

In order to promote his customer's servers, a developer with an alias of Belonard created malicious servers that when connected to by a Counter-Strike 1.6 client, would infect the player with the Belonard Trojan.

To do this, the Belonard botnet utilized pre-infected clients or remote command execution vulnerabilities in clean clients, which allowed them to install the Trojan simply by a player visiting a malicious server. As the Counter-Strike 1.6 game client is no longer supported, all players of this game are potential victims of this botnet.

"Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5)."

Below is an attack flow demonstrating how Belonard works.

Attack Flow

When installed the Trojan will create a Windows service named "Windows DHCP Service" and uses the ServiceDLL value to load the Belonard Trojan saved at C:\Windows\System32\WinDHCP.dll.

The Trojan will then replace files in the game client that not only promotes the attacker's site where infected game clients can be downloaded, but will also promote fake game servers. If a player attempts to join one of these servers, they will be redirected to a malicious game server that uses the RCE vulnerability to infect the victim with the Belonard Trojan.

"When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers."

Shutting down the Botnet

In coordination with the REG.ru domain name registrar, Dr. Web was able to shut down the domains that the Trojan used to redirect players to fake game servers. This will help to prevent new players from becoming infected.

Dr. Web has also continued to monitor other domains utilized by the malware's Domain Generation Algorithm (DGA), but sinkholes have so far been able to prevent further infections.

Unfortunately, the only way to prevent this botnet from being created again is to patch the vulnerabilities in the client. As Counter-Strike 1.6 was the last client to be released by Valve, a fix is not expected to be forthcoming.