Despite the fashion of Battle Royale games, and despite the existence of its more modern version, the Counter Strike 1.6 still has a large number of players, reaching today up to 15,000 simultaneous players and that is a serious problem if we consider the study conducted by Dr. Web, which indicates that at least 1,951 CS 1.6 servers, which represent approximately 39% of the servers they analyzed are infected with malware.
The Trojan spreads through vulnerabilities in the official game client and used to infect players ‘devices and download malware to secure the Trojan horse in the system and distribute it to other players’ devices. For that, they exploit remote code execution vulnerabilities (RCE), two of which were found in the official client of the game and four in the pirated one.
Once configured on the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected machine to propagate the Trojan. As a general rule, proxy servers show a lower ping , so other players will see them at the top of the list. When you select one of them, a player is redirected to a malicious server where your computer gets infected with Trojan.Belonard.
The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.
Valve was also informed about the dangerous vulnerabilities that allow the remote code execution. While the company said that the flaws would be fixed, it did not specify the exact date it will be done.