Posted by alphaatlas 11:36 AM (CDT)
Thursday March 14, 2019
In spite of the battle royale craze and a more modern sequel, the original Counter-Strike is still a massively popular game. The FPS had nearly 15,000 concurrent players at the time of this writing, and there are still thousands of registered 3rd party servers. However, a recent study from Dr. Web clams that 1,951 CS 1.6 servers, which represents about 39% of the servers they analyzed, are infected with malware. The trojan propagates itself through vulnerabilities within the official Counter Strike client, and is used to promote other CS servers. Unlike previously reported incidents, this exploit requires no conformation on the user's end, and Dr. Web says they "have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed."
Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, "Belonard", resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers. The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players' devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one. Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.