Counter-Strike: Global Offensive is what most people think of when you mention Counter-Strike these days, but there are still plenty of fans of the version released in 2003, Counter-Strike 1.6. The game still has a healthy player base – more than most titles on Steam – but one study has found those players could be at risk, with thousands of CS 1.6 servers infected by a trojan.
A study by the Dr.Web anti-virus database has warned that out of 5,000 servers viewable through the CS 1.6 client, nearly 2000 of those servers were faux servers created as a result of the Trojan.Belonard client. It’s not the first time CS 1.6 has been targeted by this kind of attack, with Trojans distributed through hidden iframes in the Messages Of The Day that users saw upon connecting to a 1.6 server.
The contents of this window is an HTML file. The MOTD file created by hackers contains a hidden IFRAME component that was used to redirect to one of their servers. From it, in turn, the admin.cmd file containing the Win32.HLLW.HLProxy Trojan file was downloaded and installed on the victim’s computer.
The latest vulnerability, which has been reported to Valve, is even more severe. According to the analysts, the trojan can infect Steam versions of the game or pirated copies (which some netcafes around the world still use).
“A player launches the official Steam client and selects a game server,” the analysts explain. “Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).”
Here’s an inforgraphic of how the trojan is deployed:
One element of the trojan is particularly nasty. After searching the player’s machine for running CS clients, it then checks the hashes of those files against its own. If the two don’t match, it ends the existing client – displaying a warning that says “could not load game” – and then begins replacing the client hl.exe file with its own, infected version.
Because the malware relied on pulling files from an external domain name, the analysts were able to cut future connections and prevent future infections with the help of a Russian domain name registrar. CS 1.6 hasn’t been patched to prevent the exploit, however, which only Valve can do – and something the analysts are concerned might not happen, given how old the game is.
“Doctor Web have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed,” they wrote.
A full breakdown of the trojan and how it operates can be read here.