Counterstrike 1.6 has been around since 1999 on PC, but recently it has been reported that 39% of all existing Counterstrike 1.6 game servers available online are malicious and have been set-up to remotely hack gamers computers.
Known as Trojan.Belonard, it repalces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. The proxy servers will show a lower ping, so other players will see them at the top of the list. Joining the server will infect the gamers computer with the trojan. The infection is completly silent, and makes use of a Remote code execution vulnerability in the game that execues arbitary code when a player joins a malicious server.
The creator, originating from Russia, is know as Belonard (subsaquently the trojan is now known as Trojan.Belonard) and has also been distributing pirated versions of the game client on his website that is already infected with the Belonard trojan.
The whitepaper published by security researches at Dr. Web explains the details of the attack. Due to the nature of the Trojan spreading techniques, it is said that out of 5,000 Counterstrike 1.6 servers, 1,951 of them were created by the Belonard Trojan.
Trojan.Belonard consists of 11 components and operated under different scenarios depending on the game client. For example if the offical client is used, the Trojan infects the device using a Remote Code Execution vulnerability in the client which is exploited by the malicious server and then establishes itself in the system. A clean, but pirated version of the game is infected the same way. If the client is pre-infected from Belonard’s website, then the trojan is already present from the first launch of the game.
Valve has been made aware of the 0-day vulnerabilites and the extent of the Belonard Trojan.