exploit CounterStrike servers infected users to create a botnet

[justpoet]

https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0

https://www.bleepingcomputer.com/news/security/39-percent-of-all-counter-strike-16-servers-used-to-infect-players/

 

The CS client isn't secure, and has been targeted by malicious servers, growing a bot net from CS players, and promoting servers to play on that further infect more users.  This was so easy to do that it constituted 39% of CS servers for a while.  This has currently been partially mitigated by shutting down some of the distribution methods of the trojan by disabling select domain names, but can easily spring back up again unless the client is actually patched.  Unfortunately, CS has been EOL (end of life) without further support for some time now, so that is unlikely.  This is different from a previous similar attack where the user was asked to download the files, as this is silent.

 

Quote

Trojan.Belonard consists of 11 components and operates under different scenarios, depending on the game client. If the official client is used, the Trojan infects the device using an RCE vulnerability, exploited by the malicious server, and then establishes in the system. A clean pirated client is infected the same way. If a user downloads an infected client from the website of the owner of the malicious server, the Trojan’s persistence in the system is ensured after the first launch of the game.

Quote

Let us touch upon the process of infecting a client in more detail. A player launches the official Steam client and selects a game server. Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).

Once on the victim’s device, Trojan.Belonard.1 deletes any .dat files that are in the same directory with the library process file. After that, the malicious library connects to the command and control server, and sends it an encrypted request to download the file Mp3enc.asi (Trojan.Belonard.2). The server then sends the encrypted file in response.

Quote

In coordination with the REG.ru domain name registrar, Dr. Web was able to shut down the domains that the Trojan used to redirect players to fake game servers. This will help to prevent new players from becoming infected.

Quote

Unfortunately, the only way to prevent this botnet from being created again is to patch the vulnerabilities in the client. As Counter-Strike 1.6 was the last client to be released by Valve, a fix is not expected to be forthcoming.

 

[Nicnac]

So this is cs Source...?

[justpoet]

1 minute ago, Nicnac said:

So this is cs Source...?

TLDR: Hackers were spinning up servers maliciously crafted to serve exploit code directly into the client, which the client executed, further making the infection servers rank up in selections, and making them spin up similar infectious servers as well while hosting.

[Nicnac]

7 minutes ago, justpoet said:

TLDR: Hackers were spinning up servers maliciously crafted to serve exploit code directly into the client, which the client executed, further making the infection servers rank up in selections, and making them spin up similar infectious servers as well while hosting.

Yea but which version? Original cs?

 

[bjotte]

8 minutes ago, Nicnac said:

Yea but which version? Original cs?

 

1.6

the thing is 1.6 is EOL so no new updates so it will not be fixed by valve if I read correct.

[williamcll]

I wonder what the botnet was used for.