Unrevealing the architecture behind the Counter-Strike 1.6 botnet: zero-days and Trojans

Ivan Korolev, Igor G. Zdobnov/Doctor Web

When talking about threats in video games, people usually think of account takeover, but there is another danger that is often overlooked by the security specialists. In online gaming there’s a whole industry of underground services for promoting game servers, which often involves illegal methods like infecting game clients. The Belonard botnet was designed to promote servers in Counter-Strike 1.6. In order to achieve that, the botmaster employed: the Belonard trojan, spread via malicious game server; an infected pirated build of the Counter-Strike 1.6 client distributed online; and exploits of several RCE vulnerabilities inside the Counter-Strike 1.6 client, from which two are zero-days in the official Steam version. His main objective was to create a botnet of CS 1.6 clients where each infected machine would create fake servers that redirect players to the malicious master server. The Belonard trojan registered a total of 1,951 fake servers, taking 39% of all game servers on Steam. In our presentation, we will disclose the vulnerabilities of the Counter-Strike 1.6 client used by Belonard, uncover its architecture, inside workings and describe the shutdown process.

November 8 at 14:00 - 14:30, Stage B

Ivan Korolev Ivan Korolev is malware analyst at Doctor Web, Ltd with five years experience of analyzing malware for different platforms and architectures. I`m currently focused on analyzing targeted attacks, botnets and emerging threats.

Igor Zdobnov Igor Zdobnov joined Doctor Web in 2002 as a malware analyst and since 2009 works as chief malware analyst. He is leading different security projects inside the company, threat intelligence, threat detection and prevention. He is passionate in malware analysis, reverse engineering and building machine learning malware detection systems.