Page 1 of 3
Think mythic will use this too?
Posted: Thu Oct 13, 2005 5:39 pm
by Ankh Morpork
Hoglund writes:
I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):
The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.
The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.
I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.
Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.
Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.
This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.
-Greg
Hmm...
/Ankh
Posted: Thu Oct 13, 2005 5:49 pm
by Poh
Sounds interesting another reason for me not to play WoW
however i do not think mythic would do something like this (if they havnt) before they if anything is going to happen with blizz because its a privacy violation. Atleast thats what i think.
Posted: Thu Oct 13, 2005 5:55 pm
by Espen
http://wow.allakhazam.com/
Trojan Virus Alert
This only applies to you if you are running an older version of Internet Explorer, have not updated windows with the latest security patches and do not have virus protection on your computer. Apparantly one of our ad providers was affected by a trojan and was serving it to our site for several days last weekend. This is a keylogger and could possibly compromise your game login and password. As soon as we discovered it, we pulled all of their ads.
To see if you got the trojan, go to Program Files/Internet Explorer in your directory and look for a file named "syssmss.exe". If it is there, then open your task manager and delete the file. Also go to %WIN_DIR%\Downloaded Program Files and delete a file named either "fucksnow.exe" or "muma.exe". Then once you have done that, log into the game and change your password. In fact, change every password for every place you have typed since you got the trojan.
There are also several online sites that scan your computer for free.
http://www.windowsecurity.com/trojanscan/
http://housecall.trendmicro.com/
We apologize for this. In 6 years of running this site, nothing like this has ever happened. It kills me to think that we may have, even inadvertantly, caused anyone to have their account compromised. We're all about making the games better and more fun. Believe me, we will do everything in our power to make sure it does not happen again.
Along with the advertiser who sent this, and in cooperation with the FBI, we are attempting to track down the people who sent this. I hope I get a few minutes in a back room with the bastards.
Posted: Thu Oct 13, 2005 6:22 pm
by Cryn
If the warden program hashes the info before comparing it to the look ups, then the private information never leaves your computer in plain text. This means noone can read it (including Blizzard). It sounds like it is just anti-cheat code rather than spyware as such.
Posted: Thu Oct 13, 2005 6:23 pm
by Lairiodd
Mythic apparently do something like that. If they suspect you of cheating your client "accidently" crashes and the crash info is written to a file. This info contains a listing of all processes running.
Posted: Thu Oct 13, 2005 6:44 pm
by awarkle
the thing is in the Wow Coc thingy they actually state they will download and spy your computer to see what you are running along side wow.
They got into a lot of trouble a few years back because they did a similar thing with starcraft and didnt tell any one that it was spying on the user they got into a lot of trouble because of anti privacy situations.
however all that most spyware / hackor companys have to do is change the name of the file reported under spyware to say come up with
notpad.exe or similar. Wow might think they are clever and smart but you will find that most hackers and cheater are about 10 steps ahead of them all the tiem.
however i wouldnt play blizard software games they didnt give me a job
Posted: Thu Oct 13, 2005 8:09 pm
by Radu
everquest client does the same, but that feautre can be switched off. certainly all hacker swicth it off...
Posted: Fri Oct 14, 2005 7:29 am
by HappyG
Lairiodd wrote:Mythic apparently do something like that. If they suspect you of cheating your client "accidently" crashes and the crash info is written to a file. This info contains a listing of all processes running.
I must be their no.1 suspect than, my BB client crashes 5 times a day
Posted: Fri Oct 14, 2005 8:11 am
by Heta
radar bb!!!!
Posted: Fri Oct 14, 2005 9:18 am
by Kesxex
http://www.schneier.com/blog/archives/2 ... ntert.html
OK, there are two sides to the coin - links in above links point to both sides.
Apparently the one that made this public is writing cheat programs and loosing big money I assume.