The State of Security in MMORPGs

Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."

Re:My personal feelings..

[Pojut]

This is one of the primary reasons why I like Guild Wars so much. I was a WoW junkie for about a year and a half straight (played in the closed and open betas, bought the game on release day). Switched over to Guild Wars.

See, with WoW, since I was paying for it, I felt obligated to play it over other games...as a result, I missed out on a LOT of games when they came out. With Guild Wars, however, since there is no monthly fee, I'll log in for a couple hours here, a couple hours there...maybe a grand total of 5-7 hours a week out of my 25-30 hours a week spent playing video games. Since I'm not paying a monthly fee, I feel less like I HAVE to play it and more like I WANT to play it...WoW is a better game IMO, but I like not having that "second-job" feeling.

Re:rootkit-like?

[RichMan]

Blizzard has a cheat monitor process calls the Warden which scans the active process list for known cheat programs. Hiding from a process scanner is "rootkit-like". It is indeed a war zone out there. I wonder if these guys ever play core-wars.

http://en.wikipedia.org/wiki/Warden_(software) [wikipedia.org]

--
Warden (also known as Warden Client) is an anti-cheating tool integrated in Blizzard Entertainment games such as Diablo II, StarCraft (since patch 1.15), and most notably World of Warcraft. While the game is running, Warden uses API function calls to collect data on open programs on the user's computer and sends it back to Blizzard servers as hash values to be compared to those of known cheating programs.[1] Privacy advocates consider the program to be spyware.[2]
--

Re:rootkit-like?

[Anonymous Coward]

No, it means literally what it says. Rootkit-like techniques to evade detection; specifically, process stealthing.

Because, for example, Blizzard's polymorphic anti-cheat "Warden" tries to scan process lists, the memory space of other processes, window titles - and, if they want, your filesystem - and because it can be updated at any time, if you want to spend any serious time looking at the game in that way, one of the very first things you're going to need is a good stealth driver to pull the wool over its eyes.

It shouldn't be that difficult, you'd think. Both Inner Space and Glider, for example, have modules to do just that, and they're running a kernel mode driver which Warden doesn't have the advantage of, but even so, the stealth is woefully incomplete which is one reason people get massbanned.

Of course the other reason is that bots tend to look rather obvious to any other player, and get reported. The challenge there is to build a better bot, (but since there's chat involved in the game, you'd better get ready for a Turing test; since that isn't an option, discretion is the better part of valour).

Re:My personal feelings..

[qortra]

I think you're absolutely right about this. I always dreamed of an MMO that was more focus on player-skill/ingenuity than on the amount of time invested in the particular player. Such a game should passively improve the real-human player by giving him more experience with the gaming system, rather than improving the virtual character by giving him arbitrary levels/gear/money. Such a game would be naturally resistive to exploits and cheats. I would apply the following test to an MMO to see if it meets this qualification;

Take a player who has played the game for a while, is skilled at the game, and is very successful at completing game objectives. Now, have that player start a new game with a brand new character. He should be able to be somewhat competitive with that new character - not nearly as strong without his old level or gear, but still competitive.

Of course, there are plenty of caveats. First, I have had difficulty in imagining an RP system that would have such a large emphasis on creativity and intelligence. Second, it is unlikely that many people would actually have interest in such a game. Unfortunately, I think that most people actually like the grind; and even if they don't have the intellect to keep up in a real game, they can gain satisfaction from countless hours hording gear and currency.

Interview with Sony Online Entertainment CEO

[eepok]

Massively just did an interview with John Smedley and touched upon the issue of farmers/plat sellers and how they are using social hacking to bring in profits and hurt the company.

Part 1: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-1/ [massively.com]
Part 2: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/ [massively.com]

SOE owns and operates Everquest, Everquest 2, Star Wars Galaxies, and other MMOs.

I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."

Cheating in online games

[mabu]

I was a GM in Everquest for several years. I could chime in on my experience, which mostly related to scouting out in-game cheating. We were trained to look for signs of more elaborate types of cheats and report them higher up in the chain.

In most of these games, the main thing wasn't really "cheating" as much as it was "exploiting" flaws of characteristics of the game's design. On some maps it was possible to "fall through the world" and people could effectively position themselves so they could attack monsters but the monsters could not attack them. This was also accomplished by using creative means to get on top of structures in the game geometry that the designers had never intended to be accessible. There were places for example, where we'd often find PCs on roofs in hostile towns attacking high-level NPCs and due to the pathing, were able to not be counter-attacked. There was a constant cat-and-mouse game trying to find out how they were pulling these things off. It was more interesting than annoying usually. I was always impressed by some of the creative ways people would try to give themselves an advantage.

Midway into EQ's popularity a number of software programs started to appear. These really blew the lid off the game's integrity. I forget the name of this one utility, but it was a utility that managed to decrypt the game stream, and due to the way the game was designed, when you entered a zone, this program could identify the coordinates of and nature of every NPC and PC in a certain range. SOE's game design, which often sent more info to the client than the client needed to make available to the user, created a situation where once someone decrypted the data, they had access to what was going on. Suddenly rare NPCs were being killed within minutes of appearing, and when a GM appeared in a zone to investigate, the perps knew instantly we were there and would logoff. Again, a cat-and-mouse game erupted where the developers started routinely changing the game's encryption and eventually they curtailed much of this behavior and made it too difficult to use the software. But at its heyday, the cheats were quite impressed. You'd have your main game client, and then you'd have a second computer sniffing the traffic, decoding it and displaying a real-time map of all PCs and NPCs in the zone. Very high-tech. Also very difficult to catch. Since the cheat program wasn't even on the same PC, programs like WoW's "Warden" wouldn't help. The only way you could identify someone cheating was to watch their in-game behavior. When you'd see PCs make a beeline for a rare NPC within seconds of it spawning, you knew something was up.

Last but not least, in these games, the servers log just about everything. If they want to catch a cheater, the behavior is quite easy to spot. I think the biggest issue with security in MMORPGS isn't being able to catch people cheating, it's trying to figure out how to keep the proper balance between game integrity and profitability. Probably 90% of people playing MMORPGs have broke rules and most of this behavior is on file. The companies cannot afford to take too hard a stance unless the transgressions are creating big problems.

Games with Hackers/Code Explorers

[Teancum]

One of the things that needs to be remembered here about all of this concern about game hacks, bot players, gold sellers, and other nefarious aspects of the MMORPG universe is that a considerable amount of what happens here is just sheer intellectual curiosity.

Face it, network packets are for many software developers hardly a mystery, and trying to reverse engineer the communications protocols between a game server and a client is hardly the most challenging task in computer science. If the game publisher decides to encrypt the communication in some way, that encryption is easy to reverse engineer as well... especially if you have the software for the client on your own machine. It may crack up the skill level a little bit if the "hacker" has to decompile the client in order to find the encryption mechanism, but that just makes it all that more of a prize to win and find out.

For several of the on-line games that I play, I'll admit that I've been tempted to try this myself just to see how it was done. And there are major communities who love to do this stuff. For example, the game Runescape has a fairly good group of people who have tried to reverse engineer the communications protocols, and have gone so far as to recreate the server software itself and re-implement a client using the same protocol. One excellent example is Moparscape [moparscape.org] (Warning: click on this link at your own risk... these are real hackers here!) This is not the only server like this, I should add.

That real-world cash is also injected into the need/demand for these sort of reverse engineering efforts is really just icing on the cake for many of these individuals who get into this activity.

How you can get rid of this "game about a game" effort in terms of an arms race between the software publisher and the hacker community trying to reverse engineer the communications protocol may be something worth investigating. I'm certain that, as usual, the game industry is probably far more secure in its communication protocols than most other "real-world" activities like bank transactions and electronic voting, perhaps even military communications. This would be as a result of the vested interested of those young enough to have the patience and determination in order to hack this communications system.

I'm also certain that even the software developers who write these games have a fun time trying to come up with strategies in order to thwart the hacker community. For them, it is a fun intellectual exercise as well, especially when you are going up against people brighter than you are. So in this sense, it is a sort of chess game with slightly higher stakes on the line. And once a "hacker" has obtained all of this arcane knowledge... what are they supposed to do with that hard-won knowledge? (besides give themselves the best equipment in the game.)

Re:Cheating in online games

[FileNotFound]

Actually, it was used extensively. Every single raid guild I've ever been in used it. That's not to say that everyone in the guild did, but a few people did. The scouts, the pullers, the raid leaders, they all had it. Each guild I was in had a 'subgroup', we jockingly refered to it as "BlackOps" and our job was always to get lists of raid targets, and keep an eye on other guild raids so if they wiped we could roll over them. I know other guilds had them too, sometimes we'd be raiding in a very high lvl area that is hard to get into withou a key etc and I'd see someone without any guild tag appear on SEQ and then dissapear again. I knew what they were doing because I was doing the same thing.

Anyone who used SEQ could easily spot others using it. We'd have scout chars logged off in zones to regularly check on rare spawns and scripts to start EQ, and log in the right char to scan a zone. As in, I'd click an icon my desktop, EQ would start in the background in a tiny window, log in and then log out right away. This gave SEQ time to scan the zone and if the mob that was on the watch list was up, it'd pop up an alert. We tested this, and the whole thing happened quick enough that nobody would even see the char appear in the zone - unless of course they ran SEQ themselves.

I was on Mithaniel Marr, and I know for a fact that one of the top EQ guilds, Afterlife, used SEQ. It's not just 'beelining' it's that SEQ keeps track of respawn times. Not only do you know what's there, you know what's going to be there in 5 seconds or 1 minute. You see which areas in a zone are taken, where the boss of the LDON dungeon is, where someone's corpse is - even if they themselves have no idea where they died because they got lost. You could see the players without it getting surprised by spawns, making wrong turns, getting adds on their pulls, being unable to find a corpse, clearing an entire LDON dungeon to find a named etc.

Of course whenever we had unknowns in the zone we'd act deaf and dumb, bumbling about acting like we don't know what's where, run into dead ends, clear unnecessary areas of dungeons. We knew that the other guilds at the very least suspected us of using it and probably reported us for it just as much as we reported them. It was meta-gaming at it's finest an I loved every second of it.

The book

[Sir_Sri]

I got a copy of their book as part of our multimedia research group. The first half is a reasonably approachable treatment of networked application type security issues, sure it's constantly making reference to games and gambling but in an era where most of our students in Comp Sci have played, or do play online games it makes for an understandable example. I would say we pulled a bunch of stuff out of that for our web apps course and some of it for our general software engineering courses. The latter half, with a rather extensive focus on world of warcraft, and it's security from warden (which now transmits encrypted so an 'out of the box' view of the book and their software governor won't do you much good) is insightful, if somewhat traumatic to try and read. Unless you're really inclined to go disassembling your online game much of the benefits of this book can be found elsewhere, but for any game developer it's probably worth reading over a couple of hours to get an appreciation for the sort of attacks you'll face and someone elses take on the same problem in case there's something you've missed.

Re:My personal feelings..

[goldspider]

There are a few major shortcomings (IMHO) that kept me trying, but leaving Guild Wars:

1. Like you said, lack of persistent world.
2. Lack of gear diversity.
3. Lack of solo play options.
4. Steep learning curve.
5. No auction/market system whatsoever.

I found the single player game to be little more than a one-dimensional grind for skills. And without skills, what chance do you have to succeed in PvP?

I'd like to find a reason to play it again, as visually it is a very impressive game. It will take a lot of convincing, though, to get me to purchase the expansions and give it another shot.

Re:My personal feelings..

[Darinbob]

Yes, Guild Wars is an interesting beast that eliminates a lot of the tendencies to cheat; at least on the PVE side of things (PVP and competition will naturally encourage cheaters).

I also like Lord of the Rings Online which doesn't have the same emphasis on gear (uber loot) as WoW, and far less PVP (pwners). When the game is about exploring, cooperation, or role playing, the need to cheat just isn't as strong.

Re:My personal feelings..

[Pojut]

See, that's just it though; I LOVED playing WoW. I never logged in while thinking "man, I really don't want to play this." I would venture to say that my time spent playing WoW definitely makes up a large portion of my favourite gaming memories.

A better way to describe it would be when I would sit down to play something other than WoW, my thoughts drifted towards thinking that I should log in and finish this or that quest, or head to the auction house instead. I felt pulled to it. Playing other games while in the midst of my addiction (and it was, admittedly, an addiction) made me feel like I was wasting my time...after all, playing God of War wasn't gonna put the ore in my backpack:-)

Re:My personal feelings..

[Sparckus]

Agreed, the PvE content while casual friendly wasn't particularly great. After the first play through it was extremely boring. The PvP side had mountains of potential and if Anet didn't make an absolute arse of it I would still be playing it today (Lack of UAX at the start, handling of tournaments and the ladder and so on). Guild Wars PvE required a lot less grind than any other MMORPG but at the same time it didn't have a lot to do in it after completion, sure you can now buy expansions but it was crap having to wait for more content at the time. Grind in MMO's is the reason people want to cheat in the first place, Blizzard et al really should come up with a way of delivering good content that doesn't require shitloads of grind and rewards players for playing the game when they want to and when they can, rather than punishing them for not spending at least half of their life playing it.

Re:From a mainstream publisher

[immcintosh]

That depends on what you want to call "shady." He's certainly not done anything illegal from the looks of it. Mind you, it's not illegal (correct me if I'm wrong) to cheat at online games. From what I gathered reading the article, it deals exclusively with client-side hacks/bots and such--feeding incorrect data back to the server, disabling cheat monitoring software that comes with the game, that kind of stuff. Certainly it's in violation of the Terms of Service of the games, but that really doesn't make it "shady" in any meaningful way.

Obviously, if he had broken into their secured servers, that would be another matter entirely, but from what it seems he did nothing of the sort.

Re:rootkit-like?

[ahsile]

I actually used to play a MMO called Asheron's Call about 6 years ago. I played honestly for about a year, and only made it to level 80 or so. It was a real grind to get anywhere. Eventually my grind partner quit and decided to play another MMO, which left pretty much alone. I was a member of a 'monarchy', or guild if you may, but it really didn't help alleviate any of my issues.

So I switched to another guild which was well known for their botting. You had to prove yourself before you got access to the bot software though, so I got stuck in what they called an 'experience chain'. Everyone would swear allegiance to someone else, and a portion of your XP would be passed up the chain. If you had good enough leadership and loyalty skills the numbers would actually multiply as it passed up. After leveling a new character to about 70 or 80 with the chain, I was allowed access to the bot software. Of course it was against the game's TOS, but we had our ways around it.

Most of us would run our bots all night farming dungeons, but the admins would show up every once and a while to figure out if we were at the keyboard at all. What we actually did was have all chat communication funneled through and IRC channel that someone was generally watching. Our characters could also be remote controlled from the IRC channel with proper authentication as well. That defeated their ban stick for a while, because it was only illegal to bot when you weren't at the keyboard.

Eventually the admins got smart and started showing objects to the characters. We were asked to describe the color or what the item was. I do believe it was possible to get around that limitation, but I never stuck around long enough to find out. At about that point I had landed my current job and couldn't devote the time to play any more. And with the botters, you needed to be able to check your character and be available 24/7... even if you weren't actually playing the game all the time.

So I guess my point is, this probably happens already since we were doing it years ago!

Re:My personal feelings..

[jayveekay]

At $15/month, WoW subscription costs about $.50/day. Expansion for $40 every 2 years works out to another $.06 per day, so say $0.56 per day total.

Guild Wars cost is about $40 to buy an expansion every 6 months, or about $0.25/day.

So, the difference in dollar cost between the 2 games is about $0.30/day. I would argue that if that amount of money is a more significant factor to you than which game you enjoy playing more, then you should play neither and instead spend the time earning more money. :)