Windows 10 News and info | Forum
May 19, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: 39% of All Counter-Strike 1.6 Servers Used to Infect Players  (Read 25 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 30026

I Do Windows

WWW Email
« on: March 14, 2019, 01:19:31 PM »

When playing a video game, most people do not worry about getting infected by the their game client. New research, though, shows that's exactly what is happening when 39% of all existing Counter-Strike 1.6 game servers were trying to infect players through vulnerabilities in the game client.

While Counter-Strike 1.6 is almost 20 years old, there is a still a strong player base and market for game servers to play on. With this demand, hosting providers rent game servers on a monthly basis and offer other services such as a the promotion of a customer's game server in order to increase their popularity.

In a new report by Dr. Web, researchers explain how a developer is utilizing game client vulnerabilities, the Belonard Trojan botnet, and malicious servers to promote the game servers of his customers and enlist more victims to the botnet. At its peak, this botnet grew so large that approximately 39% of the 5,000 Counter-Strike 1.6 servers were malicious in nature and attempting to infect connected players.

"Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers," stated the research by Dr. Web. "According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojanís developer to promote other servers for money, adding them to lists of available servers in infected game clients."

The Belonard Trojan

In order to promote his customer's servers, a developer with an alias of Belonard created malicious servers that when connected to by a Counter-Strike 1.6 client, would infect the player with the Belonard Trojan.

To do this, the Belonard botnet utilized pre-infected clients or remote command execution vulnerabilities in clean clients, which allowed them to install the Trojan simply by a player visiting a malicious server. As the Counter-Strike 1.6 game client is no longer supported, all players of this game are potential victims of this botnet.

"Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victimís device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5)."

Below is an attack flow demonstrating how Belonard works.

Attack Flow

When installed the Trojan will create a Windows service named "Windows DHCP Service" and uses the ServiceDLL value to load the Belonard Trojan saved at C:\Windows\System32\WinDHCP.dll.

The Trojan will then replace files in the game client that not only promotes the attacker's site where infected game clients can be downloaded, but will also promote fake game servers. If a player attempts to join one of these servers, they will be redirected to a malicious game server that uses the RCE vulnerability to infect the victim with the Belonard Trojan.

"When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers."

Shutting down the Botnet

In coordination with the domain name registrar, Dr. Web was able to shut down the domains that the Trojan used to redirect players to fake game servers. This will help to prevent new players from becoming infected.

Dr. Web has also continued to monitor other domains utilized by the malware's Domain Generation Algorithm (DGA), but sinkholes have so far been able to prevent further infections.

Unfortunately, the only way to prevent this botnet from being created again is to patch the vulnerabilities in the client. As Counter-Strike 1.6 was the last client to be released by Valve, a fix is not expected to be forthcoming.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page March 16, 2019, 07:01:45 PM