CS1.6 malicious servers

This week, security researchers from Russia's Dr.Web (PDF), filed a report saying that roughly 39% of Counter-Strike 1.6 servers were used to spread malware to users. The report, filed on Monday, found that these malicious servers exploited a remote code execution (RCE) flaw in the game client to spread a new malware variant called Belonard.

These servers were nothing more than proxy servers set up to display low pings, enticing players to try to connect to them. When players connected to those servers, they were redirected to the malicious servers that had one of four different RCEs. There were two RCEs used for legitimate copies of Counter-Strike 1.6 and two RCEs used for the pirated version of the game. No honor amongst thieves, eh?

Once infected with Belonard, the infected client computers would be added to a botnet made up of other infected machines.

Belonard was used to push advertisements into CS1.6. Researcher Ivan Korolev says that upon starting up the game, the user's nickname would change to the address of a site where an infected game client can be downloaded. An in-game menu was also modified to show a link to the VKontakte 1.6 community.

The developer of Belonard also pushed legitimate CS1.6 servers to the forefront of infected user's machines. These servers were allegedly promoted by those willing to pay a fee to the developer of Belonard.

Belonard didn't stop there. Machines that were infected created their own proxy servers running on users' computers. These servers then appeared on the server list. This led to other users trying to connect to them, get redirected to the malicious servers, and thus the cycle continued.

At its peak, the security researchers found that the proxy servers grew to number 1,951 servers. This accounted for roughly 39% of all of the Counter-Strike 1.6 multiplayer servers available at the time.

You probably don't have too much to worry about, at least for the time being. Dr.Web says that they have worked with the REG.ru domain register to take down all of the domain names that the Belonard devs were using. Immediately after taking over the domains, Dr.Web noted that 127 game clients had tried to connect.

According to Korolev, Valve is aware of this issue and promises that a patch is coming. However, an exact release date for the patch was not disclosed.

In the meantime, you can help keep yourself safe by looking for suspicious server listings. A common bug with Belonard caused the server game to display as "Counter-Strike 1," or "Counter-Strike 2," or "Counter-Strike 3." Legitimate servers typically show up as "Counter-Strike 1.6" in the list.

(Dr.Web via ZDNet)