Counter-Strike client used to create huge botnet
A Counter-Strike gaming server promotion service have used multiple zero-days in the Counter-Strike client to create a large botnet. The network is made up of fake game servers for the popular online multiplayer game. According to Dr. Web in a recent analysis, 39 percent of all existing Counter-Strike 1.6 game servers seen online were found to be malicious. According Valve, the publishers of Counter-Strike, there are 300 million players. While Counter-Strike 1.6 is an older version that hasn’t been under active development for years, the number of players using official CS 1.6 clients reaches an average of 20,000 clients online at any one time. So this still represents a large field for hackers to grow their botnets.
Players can choose to purchase a dedicated Counter-Strike server, which allows them to have processor resources in the cloud that are dedicated to their own gameplay. This reduces lag and offers greater reliability than users may experience while playing over a typical home internet connection. Owners of these private game servers can also choose to host other players, and so selling and renting game servers has become something of a cottage industry. Owners of game servers often try to monetize their platforms by offering various privileges, such as protection against bans, special skins and cosmetics, access to special weapons and so on. So a market for game-server promotion and advertising was created. For example, raising a server's rank for a week costs about $3, which is not much, but a large number of buyers make this strategy a successful business model. One server operator, who goes by the handle “Belonard,” has been selling promotion services to private server owners while exploiting zero-days in the Counter-Strike client to drop a malicious trojan on gamers.
Belonard uses two previously unknown remote code-execution vulnerabilities in the Counter-Strike client to spread a custom trojan. A player launches the official Steam client and selects a game server and when connecting to a malicious server, it exploits an RCE vulnerability, uploading malicious libraries to a victim's device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5). The trojan creates fake Valve game servers that are engineered to have low ping.
In server-based games where timing is key, such as first-person shooters like Counter-Strike, “low ping” means less lag time in the communications that flow between the players' clients and game servers. That translates into smoother gameplay and allows players to be more reactive and competitive. In Counter-Strike, players are either automatically paired with the best public, Valve-hosted server with the lowest ping rate, or they can manually choose one. Helpfully, the CS 1.6 client shows players a list of available servers along with their ping rates. The trojan takes advantage of this to lure in victims. Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list.
After selecting one of these low-pinging proxy servers from the list, a player is redirected to a fake server, where the user's computer becomes infected with Trojan.Belonard. The newly infected computer in turn is put to work spreading the trojan further. According to Dr. Web analysis, out of the 5,000 servers, 1,951 were found to have been fake servers created by the Belonard trojan.
A network of this scale allowed the trojan's developer to promote other servers for money, adding them to lists of available servers in infected game clients. The botnet has been disrupted, according to reports in the Twitterverse. But similar threats could always be in the offing if the flaws remain unpatched.