CounterStrike is an old favorite game for veteran first-person shooters fans, its popularity remains at a very relevant and competitive level even after 2 decades. But Dr. Web has issued a warning for all CounterStrike gamers, as it was recently discovered that around 39% of publicly accessible CounterStrike 1.6 servers were designed to harm gamers. A zero-day vulnerability attack through malicious CounterStrike clients are making rounds online, once installed and executed, these clients can execute arbitrary code without the knowledge of the users.
A developer nicknamed “Belonard” is allegedly running the operations of the infected CounterStrike clients with the goal of building a sizable botnet for his own ends. The Trojanized CounterStrike client also serves as a proxy server for further propagation of the client.
“Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard. Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers,” explained Dr. Web researchers.
CounterStrike 1.6 has 5,000 online servers hosted in Steam, however, based on the study conducted by Dr. Web, 1,951 of these servers are Trojanized. This number is more than ⅓ of all Counterstrike 1.6 servers online in Steam, and are played by loyal CounterStrike gamers globally without them realizing that they are playing a non-genuine game. Valve has not yet responded to the disclosure letter sent by Dr. Web, and at the time of this writing, infected servers are still online.
“Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game,” added Dr. Web researchers.
Dr. Web has identified fuztxhus.valve-ms[.]ru:28445 as the command and control server used by the attackers. Connection to it is established by the trojan file Mssv36.asi, a support file named Mssv24.asi resides in memory, while another module is designed to change time stamp of all the files comprising the entire malware suite. This capability to modify timestamp is for the purpose of evading detection, as dates of files will remain the same hence no detection based-on time stamp can succeed.
It is highly recommended that CounterStrike players only download the game client from the official source. For higher detection possibility, it is also highly encouraged that a heuristic scan will be performed against a suspicious computer instead of just the generic signature-based scan. The latter does not have the capability to detect evasive maneuvers like changing the timestamp of files in order to maintain the files’ original date-time.
Related Resources:
A Nastier Use of Memes Discovered, To Remote Control A Trojan Horse
