Study Claims 39% of Counter-Strike Servers are Infected With Malware

Discussion in 'HardForum Tech News' started by AlphaAtlas, Mar 14, 2019.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,716
    Joined:
    Mar 3, 2018
    In spite of the battle royale craze and a more modern sequel, the original Counter-Strike is still a massively popular game. The FPS had nearly 15,000 concurrent players at the time of this writing, and there are still thousands of registered 3rd party servers. However, a recent study from Dr. Web clams that 1,951 CS 1.6 servers, which represents about 39% of the servers they analyzed, are infected with malware. The trojan propagates itself through vulnerabilities within the official Counter Strike client, and is used to promote other CS servers. Unlike previously reported incidents, this exploit requires no conformation on the user's end, and Dr. Web says they "have informed Valve about these and other vulnerabilities of the game, but as of now, there is no data on when the vulnerabilities will be fixed."

    Many owners of popular game servers also raise money from players by selling various privileges such as protection against bans, access to weapons, etc. Some server owners advertise themselves independently, while others purchase server promotion services from contractors. Having paid for a service, customers often remain oblivious as to how exactly their servers are advertised. As it turned out, the developer nicknamed, "Belonard", resorted to illegal means of promotion. His server infected the devices of players with a Trojan and used their accounts to promote other game servers. The owner of the malicious server uses the vulnerabilities of the game client and a newly written Trojan as a technical foundation for their business. The Trojan is to infect players' devices and download malware to secure the Trojan in the system and distribute it to devices of other players. For that, they exploit Remote Code Execution (RCE) vulnerabilities, two of which have been found in the official game client and four in the pirated one. Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.
     
    captaindiptoad likes this.
  2. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,415
    Joined:
    Oct 29, 2000
    Wow,

    Based solely on the title I was going to guess that it was the good old "user set up turn key linux CS server and never changed the default passwords" problem we used to hear about, but an actual exploit that attacks vulnerabilities in the goldsrc server engine is interesting.

    That thing is ancient at this point. I wonder how often it gets updates anymore.

    Honestly, I'm surprised the 1.6 scene is still going. Personally I abandoned 1.6 as soon as the Source version launched. You expect some resistance to new things at first, but that was 15 years ago...
     
  3. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,312
    Joined:
    Feb 3, 2014
    Colour me shocked...... If there is money to be made in it somebody will try to earn it and if somebody is earning it somebody will try to steal it. I barely trust servers I set up to be secure, let alone ones set up by unknown strangers of unknown intent.
     
  4. Rahh

    Rahh [H]ard|Gawd

    Messages:
    1,618
    Joined:
    Jan 14, 2005
    this is on 1.6 so i'm not surprised at all. I'm not even sure they should have to support it.
     
    Lakados likes this.
  5. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,415
    Joined:
    Oct 29, 2000

    IMHO, if you are still selling it in digital stores, you should still have to support it. I'd argue support for 1-2 years after last sale date is appropriate.
     
  6. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,460
    Joined:
    Jul 11, 2005
    This is some seriously sophisticated haxxoring right here. Dang!
     
    STEM likes this.
  7. NickJames

    NickJames [H]ardness Supreme

    Messages:
    6,585
    Joined:
    Apr 28, 2009
    Not surprising, there were so many ways to exploit Goldsrc back in the day. You could upload all kinds of content into public servers by different means I knew of one exploit involving custom sprays with hidden scripts to give admin to a player or just fuck with the server in general.
     
    viscountalpha likes this.