Zero-Days in Counter-Strike Client Used to Build Major Botnet

A proprietor of a Counter-Strike gaming server promotion service has used multiple zero-days in the Counter-Strike client to create a large botnet. The network is made up of fake game servers for the popular online multiplayer game.

The attacker has had quite a bit of success. In a recent analysis, a whopping 39 percent of all existing Counter-Strike 1.6 (CS 1.6) game servers seen online were found to actually be malicious, according to Dr. Web.

According to its owner Valve, worldwide there are 300 million players of Counter-Strike, a first-person shooter game in which teams of terrorists try to mount an attack and counter-terrorists try to prevent it.

While Counter-Strike 1.6 is an older version that hasn’t been under active development for years, according to researchers the number of players using official CS 1.6 clients reaches an average of 20,000 clients online at any one time. So this still represents a fertile field for cybercriminals to grow their nefarious activities.

> Most people still playing CS1.6 have been camping at bomb site B for over 10 years.
>
> — Nick Carr (@ItsReallyNick) March 14, 2019

By way of background, players can choose to purchase a dedicated Counter-Strike server, which allows them to have processor resources in the cloud that are dedicated to their own gameplay – this reduces lag and offers greater reliability than users may have while playing over a typical home internet connection. Owners of these private game servers can also choose to host other players, and so selling and renting game servers has become something of a cottage industry. Owners of game servers often try to monetize their platforms by offering various privileges, such as protection against bans, special “skins” and cosmetics, access to special weapons and so on.

Thus, along with this comes a market for game-server promotion and advertising.

“For example, raising a server’s rank for a week costs about 200 rubles [$3], which is not much, but a large number of buyers make this strategy a rather successful business model,” researchers explained in a posting this week.

One server operator, who goes by the handle “Belonard,” has been selling promotion services to private server owners – while exploiting zero-days in the Counter-Strike client to drop a malicious trojan on gamers along the way.

Chain of Attack

Belonard was seen using two previously unknown remote code-execution (RCE) vulnerabilities in the Counter-Strike client to spread a custom trojan, according to researchers.

“A player launches the official Steam client and selects a game server,” researchers said. “Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading … malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).”

The firm didn’t release details on the vulnerabilities, but did explain the attack chain further, noting that the trojan creates fake Valve game servers (not to be confused with the just-discussed private servers) that are engineered to have “low ping.”

In server-based games where timing is key, like first-person shooters like Counter-Strike, “low ping” means less lag time in the communications that flow between the players’ clients and game servers. That in turn translates into smoother gameplay and allows players to be more reactive and competitive.

In Counter-Strike, players are either automatically paired with the best public, Valve-hosted server with the lowest ping rate, or they can manually choose one. Helpfully, the CS 1.6 client shows players a list of available servers along with their ping rates. The trojan takes advantage of this to lure in victims.

“Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the trojan,” the firm explained. “As a rule, proxy servers show a lower ping, so other players will see them at the top of the list.”

After selecting (or matching with) one of these attractively low-pinging proxy servers from the client’s list of available platforms, a player is redirected to a malicious server, where the user’s computer becomes infected with Trojan.Belonard. The newly infected computer in turn is put to work spreading the trojan further.

According to Dr. Web analysis, out of the 5,000 servers available from the official Steam platform, 1,951 were found to have been fake, proxy servers created by the Belonard trojan – equating to 39 percent of all game servers available.

The point of all of this? Financial gain, of course.

“A network of this scale allowed the trojan’s developer to promote other [legitimate, private] servers for money, adding them to lists of available servers in infected game clients,” the firm explained.

The botnet has been disrupted, according to reports in the Twitterverse. But similar threats could always be in the offing if the flaws remain unpatched. Threatpost has reached out to Counter-Strike owner Valve about the vulnerabilities and will update this posting accordingly with any patch information or timeline.

> Belonard #malware infection by remote code execution (RCE) at gaming servers has been shut down, stopping a chain reaction of infections. <https://t.co/d1PGMWScgT&gt;
>
> — Secure Networkers (@SecureNetIT) March 14, 2019

Don’t miss our free live ****Threatpost webinar****, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.