Counter-Strike video game becomes a part of botnet

Counter-Strike is one of the most successful competitive online shooters of all-time. With a user base in the millions, there have been numerous criminal acts (like the CS:GO gambling fiasco) targeting the massive pool of gamers. As reports have recently revealed, this criminal activity includes making unsuspecting players members of a botnet.

In a report published on March 11, researchers at Dr. Web show how a malware was being leveraged against zero-days to harness the power of gaming devices for a botnet. The malware in question is the Belonard Trojan, which is named after the server host Belonard who took advantage of unsuspecting gamers looking for dedicated servers to play Counter-Strike.

The report describes Belonard’s attack methodology as follows:

The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players’ devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one.

Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

Using this pattern, the developer of the Trojan managed to create a botnet that makes up a considerable part of the CS 1.6 game servers. According to our analysts, out of some 5,000 servers available from the official Steam client, 1,951 were created by the Belonard Trojan. This is 39% of all game servers. A network of this scale allowed the Trojan’s developer to promote other servers for money, adding them to lists of available servers in infected game clients.

This attack proved successful but, as of the time that this article is being written, Kaspersky Lab’s Threatpost has reported that the botnet has (at least for now) been disrupted. This does not mean, however, that the threat is over by a long shot. Valve, which owns the rights to Counter-Strike, has yet to discuss any patch plans with media sources which is concerning.

If the core zero-days at the center of Belonard’s infiltration are left intact, what is to stop the threat actor from starting the bait-and-switch up again when the heat dies down?

Featured image: Valve

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

IFA 2019: All the top smartphone announcements and unveilings

IFA 2019, this year’s version of the annual consumer electronics trade show, did not disappoint. Is one of these smartphones…

10 hours ago

Outlook connectivity: Troubleshooting and solving common issues

IT professionals all dread getting this fevered message from employees and clients: “I’m having Outlook connectivity issues!” Here’s what you…

15 hours ago

Using tags with Azure runbook automation to control your costs

Here’s a script designed to start and stop virtual machines based on tags associated at the resource group level. It…

18 hours ago

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

3 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

4 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

4 days ago