39% of all existing Counter-Strike 1.6 game servers online are malicious

Pierluigi Paganini March 14, 2019

Experts at security firm Dr. Web revealed that 39% of all existing Counter-Strike 1.6 game servers online are malicious, an attacker is exploiting zero-day flaws in game clients.

Bad news for gamers of the popular game Counter-Strike, according to the experts at the security firm Dr. Web, 39% of all existing Counter-Strike 1.6 game servers online are malicious.

The game Counter-Strike 1.6 was developed by Valve Corporation in 2000. Roughly 20,000 players are using official Counter-Strike 1.6 clients, while the overall number of game servers registered on Steam is over 5,000.

Threat actors have set-up the servers in the attempt of hacking gamers’ computers worldwide by exploiting zero-day vulnerabilities in the game client.

The owners of many servers raise money from players by selling various privileges, such as access to weapons and protection against bans.

“Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised.” reads the analysis published by Dr.Web. “As it turned out, the developer nicknamed, “Belonard”, resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers.”

The owner of the malicious server exploits the vulnerabilities in the game client, he infected them with a newly written Trojan dubbed Belonard, that downloads malware to secure the Trojan in the system and spread the device to other players.

Experts at Dr. Web reported that the attackers exploit two Remote Code Execution (RCE) flaws in the official game client, they also found four issues in the pirated version of the popular game.

The developer ‘Belonard‘ of the Trojan managed to create a botnet compromising a large number of the CS 1.6 game servers. Belonard is also distributing a tainted of the game client via his website, the version is infected with the Belonard Trojan.

Once infected a gamer’s client, the Belonard Trojan replaces the list of available game servers and create proxies to spread the Trojan.

“Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan.” reads the analysis published by Dr. Web.

“As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.”

The Trojan.Belonard is composed of 11 components, experts noticed that the malicious code operates under different scenarios, depending on the game client. If the gamer is using the official client, the Trojan infects the device exploiting an RCE vulnerability through the malicious server and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website operated by the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.


Experts noticed that one of the components, Trojan.Belonard.10, remains in the system and acts as a protector of the client. It is able to filter requests, files, and commands received from other game servers and forwards data about attempted changes to the client to the Trojan developer’s server.

Another component, Trojan.Belonard.9, is used to create proxy game servers and registers them with the Steam API.”According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan,” the researchers say.

Dr. Web already reported the issues exploited by the attackers to the Valve Corporation, the company also reported malicious domain names used by the developer to the Russian web registrar that quickly suspend them.

“Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware. ” concludes the analysis.

“At the present moment, Belonard botnet can be considered neutralized; but in order to ensure the safety of Counter-Strike game clients, it is necessary to close current vulnerabilities.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Counter-Strike, malware )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment