In context: The Counter-Strike franchise contains some of the most well-known first person shooter titles in the world, and for good reason. Counter-Strike matches usually pit two teams against each other in fast-paced objective matches or simple slaughterfests. To remain competitive and survive, players have to hone their reaction speeds and develop strong strategies.
As you can imagine, all of that rapid action appeals to quite a few people – so much so that even the original Counter-Strike (known as Counter-Strike 1.6) still has thousands of dedicated servers and players.
Apparently, malicious server owner “Belonard” used his platform to infect players with a new type of Trojan, which exploits vulnerabilities in Counter-Strike 1.6’s client architecture to force unwitting players to spread the virus to other players.
How does this happen? To start with, a player has to connect to Belonard’s infected server. Upon doing so, the Trojan in question sets itself up in that individual’s computer and turns their PC into an infected proxy server that will then show up in the Counter-Strike 1.6 server list for other players.
These infected servers generally show lower ping, making them considerably more appealing to other players. Once a player connects to this proxy server, they too become infected, and the cycle repeats.
So, what’s the end goal of this Trojan? Apparently, Belonard uses this malware to promote other servers in exchange for money – infected players will have a much higher chance of seeing promoted servers pop up when they browse for a new place to play.
It’s a nasty business, but likely a lucrative one. According to Dr. Web, a whopping 39 percent of all Counter-Strike 1.6 game clients were infected with Belonard’s Trojan. That amounts to roughly 1,951 servers in total.
Fortunately, Dr. Web says their analysts have largely stopped Belonard’s malware in its tracks:
Doctor Web’s analysts took all necessary measures in order to neutralize the Belonard trojan and stop botnet from growing. The delegation of the domain names used by the malware developer was suspended with the help of REG.ru domain name registrar. Since redirection from a fake game server to the malicious one happened via domain name, CS 1.6 players will no longer be in danger of connecting to the malicious server and getting infected by the Belonard trojan. This interrupted work of almost all the components of the malware.
Apparently, Dr. Web has forwarded their findings to Valve, but the company hasn’t given a timeline for potential fixes yet.