Malicious Counter-Strike servers affecting computers with malware

Gaming computers are being infected with the Belonard malware

Counter-Strike 1.6 multiplayer servers are carriers of an illness. They have reportedly been compromised to exploit remote code execution (RCE) vulnerabilities on end-user gaming clients, which have, after being exploited, been infected with the Belonard malware.

An antivirus company out of Russia, Dr. Web, reported on the exploit earlier this week. The compromised servers have already been shut down, but not before a number of computers were infected.

The servers were intentionally set up to spread the malware. The virus worked through proxy multiplayer servers that offered low ping times, attracting large numbers of users. When Counter-Strike 1.6 players connected to the servers, they were redirected to other servers that were infected – two were listed as official game servers and two were pirated copies – in order to execute the code and install Belonard.

After this, the cybercriminal would then use the malware to make changes to the Counter-Strike clients and produce ads inside the game. According to Ivan Korolev, a researcher with Dr. Web, “When a player starts the game, their nickname will change to the address of the website where an infected game client can be downloaded, while the game menu will show a link to the VKontakte CS 1.6 community with more than 11,500 subscribers.”

Belonard also created proxy servers on the target computers that appeared to be legitimate Counter-Strike servers. This led other users, believing them to be real, to connect to the servers, prompting the installation of the malware on those machines, as well.

At one point, there were 1,951 infected servers. Since then, all have reportedly been removed; however, it is possible that there may still be some instances floating around the web. These can be easily spotted, though, as they display the Counter-Strike server name as “Counter-Strike 1” or “Counter-Strike 2,” and not the legitimate “Counter-Strike 1.6.”

Don't Miss these ACR News Stories
  • JOIN NOW
    Join the most trusted US poker site since 2001 and get a 100% bonus on your first deposit, up tp $1,000!
  • STAY UP TO DATE
    Stay up to date on the latest poker news through social media. Join us at Facebook/americascardroomnet and follow us @ACR_POKER on Twitter. We invite you to share ideas and reactions.