Study Claims 39% of Counter-Strike Servers are Infected With Malware


Mar 3, 2018
In spite of the battle royale craze and a more modern sequel, the original Counter-Strike is still a massively popular game. The FPS had nearly 15,000 concurrent players at the time of this writing, and there are still thousands of registered 3rd party servers. However, a recent study from Dr. Web clams that 1,951 CS 1.6 servers, which represents about 39% of the servers they analyzed, are infected with malware. The trojan propagates itself through vulnerabilities within the official Counter Strike client, and is used to promote other CS servers. Unlike previously reported incidents, this exploit requires no conformation on the user's end, and Dr. Web says they "have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed."

Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, "Belonard", resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers. The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players' devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one. Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

Based solely on the title I was going to guess that it was the good old "user set up turn key linux CS server and never changed the default passwords" problem we used to hear about, but an actual exploit that attacks vulnerabilities in the goldsrc server engine is interesting.

That thing is ancient at this point. I wonder how often it gets updates anymore.

Honestly, I'm surprised the 1.6 scene is still going. Personally I abandoned 1.6 as soon as the Source version launched. You expect some resistance to new things at first, but that was 15 years ago...
Colour me shocked...... If there is money to be made in it somebody will try to earn it and if somebody is earning it somebody will try to steal it. I barely trust servers I set up to be secure, let alone ones set up by unknown strangers of unknown intent.
this is on 1.6 so i'm not surprised at all. I'm not even sure they should have to support it.
Not surprising, there were so many ways to exploit Goldsrc back in the day. You could upload all kinds of content into public servers by different means I knew of one exploit involving custom sprays with hidden scripts to give admin to a player or just fuck with the server in general.