March 11, 2019

Doctor Web’s lab has investigated the Trojan.Belonard malware that exploited the vulnerabilities of the Counter-Strike 1.6 game client to infiltrate users’ computers. Once installed, the Trojan replaced the game files and the list of available game servers.

Trojan.Belonard gets installed on a device upon connecting to a malicious game server. The Trojan exploits vulnerabilities of the game client and is able to infect both the Steam versions and the pirated builds of Counter-Strike 1.6 (CS 1.6). Once on the victim’s computer, the Trojan replaces the files of the client and creates proxies to infect other users. Such a scheme usually serves to create a network of infected computers, which can be used to promote game servers for money.

Despite the game’s long history, the number of players using official CS 1.6 clients is estimated at 20,000 people online, while the total number of game servers registered on Steam exceeds 5,000. Selling, renting, and promoting game servers is now deemed actual business, and these services can be purchased with various websites. Server owners often pay for this, oblivious that their server can be promoted by malware. These illegal methods were used by the developer nicknamed “Belonard”; his server infected other players with a Trojan to promote other servers via their accounts.

At the moment, the number of malicious CS 1.6 servers created by the Belonard Trojan hits 39% of all official servers registered on Steam. The CS community has been facing this issue for a long time; but, unfortunately, up until now, anti-viruses have only been able to identify parts of the threat, but not the Belonard Trojan in its entirety. Now all modules of the Belonard Trojan are successfully detected by Dr.Web’s products and do not pose a threat to our customers. Learn more about the Belonard Trojan and its operation in our study.