Blizzard's Warden Thwarted by Sony's DRM Rootkit

shotfeel writes "First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."

Just goes to show..

[Heem]

Just goes to show that there is indeed a good use for everything.

Re:Just goes to show..

[B'Trey]

Good or bad depends on your point of view, of course. Wouldn't it be trivial to modify existing worms or viruses to take advantage of the exact same concept, hiding themselves from virus scanners?

Re:Just goes to show..

[rob_squared]

Because it helps the cheater WIN! Silly!

Wait a minute...

Re:Just goes to show..

[networkBoy]

Because now Blizzard (hopefully) will sue Sony for some DMCA violation on breaking their game security device :-)
[/wishful thinking]
-nB

Re:Just goes to show..

[networkBoy]

I do believe that "circumvention of a protection device" may actually apply. . .
-nB

Re:Just goes to show..

A better question is, why don't Antivirus Software remove the Sony Virus(TM) in the first place?

Re:Just goes to show..

[Stripe7]

I just love that post by the guy who wants ISO's of the CD so they can use the rootkit. Now SONY will now have their entire product pirated not for the content they are trying to protect but for the content protection system they chose to employ! ROFL

Re:Just goes to show..

IANAL...

It doesn't for two reasons.

First, Warden is not a copyright protection system. It essentially is a EULA protection system. For example, if I use a third party utility to run a speed hack, I can be banned from the game for violating the EULA. I can't be hit up for thousands of dollars for copyright infringement.

Second, as it is installed it in no way would assist in cheating in WoW. A third party can take advantage of what it does do. In other words Sony is not shipping this DRM software with the primary intent to enable cheating in WoW.

In fact, Warden has a greater chance of violating the DMCA since it could access memory that contains copyrighted material after the DRM system has decrypted the work. Luckily the primary design purpose of Warden is also not copyright infringement.

Of course some lawyer may figure out some way to twist all of this around, so who knows.

Re:Just goes to show..

[Tim+C]

No. The Sony rootkit isn't deployed in order to thwart The Warden, just like the knives in my kitchen weren't created and sold to kill humans with.

If I create something to beat The Warden, that uses Sony's rootkit to hide, then *I* am the one liable, not Sony, just like Kitchen Devil aren't liable for any psychotic killing sprees I may go on with their products.

Unfortunately.

Re:Just goes to show..

[ikkonoishi]

In fact, Warden has a greater chance of violating the DMCA since it could access memory that contains copyrighted material after the DRM system has decrypted the work. Luckily the primary design purpose of Warden is also not copyright infringement.

Yet. Turnabout however is fair play.

I can see it now.

Blizzard:Those DRM bastards want to make it easier to cheat on our games. Lets include a P2P music sharing client into our next release!
Player:Hey... WTF? Did that monster just drop a Metalica CD?

Re:Just goes to show..

[bhsx]

I submitted a story that got rejected regarding this type of "rootkit." Somehow (my girlfriend's daughter uses this system in a reletively locked-down mode) I got something installed on my system that slipped past the Spybot S&D, MS AntiSpyware, AVG antivirus, and ewido.
It was a total b*tch just to find. The thing would build its directory/itself on shutdown (it seemed) and load then delete any trace of itself at startup, even in Safe Mode. It hid itself from Windows Task Manager and every other scan a could run. I ran some Sysinternals apps such as RootkitRevealer and Autoruns, and showed nothing over and above anything I could account for. Suspecting it was a rootkit anyway, I found some good apps such as Process Guard, and F-Secure's Blacklight(stand-alone executable, pretty nice), and a CLI app called RkDetector. Once I had ran PG I could see what was happenning to my poor little PC. Explorer launches a program called ddrssapi.exe from System32, then would go onto to launch mchshisn.exe every 3 seconds or so. At one point Process Guard counted mchshisn.exe loading over 350 times before grinding to a crashing halt!
Googling ddrssapi.exe or mchshisn.exe yields no hits (or at least didn't, now it'll probably link to this thread), so I renamed the former (because I knew where it was). I was hoping that was the app that created the directory at startup so I rebooted to see if things calmed down.
Process Guard makes no mention of ddrssapi, but is still continuously launching mchshisn, and I notice that it says it's launching from Program Files/Weslorer... Takes about 4 minutes to bring the box down to it's knees, but that gave me enough time to realize that I could do nothing to find this mysterious directory (Weslorer).
I boot into Knoppix 4.0 and low and behold there is PF/Weslorer. Unfortunately for me, Knoppix didn't want to play nice with NTFS, so I couldn't delete the dir. Then I remembered that I had build the Windows Ultimate Boot Disk based on BartPE a few weeks ago. Booted into it and removed the Weslorer (which also shows no google hits) directory and ran a Spybot S&D scan for good measure. I rebooted into my XP install and all was well. No more popups (which caused the autopsy in the first place), no more stray process launching hundreds of times. Just a new systray icon for Process Guard. That things going onto every removable media I have.
I know I still don't really know how it got in and what process it was using to launch itself initially, and that bothers me; but I do not have any symtoms and will have to live with the thought that I got pwned.

Sony owns Everquest

[halivar]

Coincidence, or conspiracy? Hrmm...

Hmmmm, are you scratching your beard?

[Neil+Blender]

You anti-DRM, pro-cheating and stealing hippies must be really conflicted on this one.

Re:Hmmmm, are you scratching your beard?

[WeeLad]

Not nessecarily. Right and wrong hasen't changed any.

...but now two wrongs can make a right. I think someone said it's like multiplying negative numbers or something. If you do it right, you'll get a positive.

-(Sony Rootkit) X -(The Warden) = -(Cheating) ... hmmm, I think I must've messed up the math.

Let's bash Sony

[LordSnooty]

OK, so I understand that Sony did a bad thing with the rootkit. But I don't immediately understand the link to Blizzard. Surely there are other "rootkits" around (think Hacker Defender) which can hide files? Why has this suddenly become a problem with the release of the Sony rootkit? Is it a case of "yes, this is definitely bad... now quick, find some way of demonstrating how bad it is!"

Do other cheat protection systems use similar methods to look for files? If so, why are they not affected? Why am I only hearing about Warcraft?

Re:Let's bash Sony

[xSquaredAdmin]

I just dug up the description of what it actually does. Turns out it also does a brief memory scan of the processes in memory to look for hacks as well. So even if they do that, as soon as Blizzard gets their hands on it, they could just add it's signature to the definition.

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

Re:Let's bash Sony

[bleckywelcky]

This is newsworthy because someone can legitimately use the Sony CD and have the rootkit installed, and then play WoW. So blizzard can't just look for signs of the rootkit and ban that account - people will be pissed for a non-legit ban. At the same time, people can do the same thing AND initiate a cheat on WoW and claim to be pissed for the same "non-legit" ban.

I pray for the day

[sammy+baby]

I now live in hope for the day that a bunch of the corporations pushing for invasive DRM like Blizzard's Warden and Sony's whatever-it's-called sue each other under the DMCA for circumventing each others technologies, instead of suing us for trying to crawl out from under them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:YRO?

[Experiment+626]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

The "rights" issue is with peoples' right to listen to music they've bought without the CD compromising their system and infecting it with rootkits. This article is signifigant more as a new development in that story, than as a "a victory for the rights of online cheaters everywhere!" thing.

To underscore the point, consider that yesterday on GlobeAndMail.com, we have:

The company dismissed the prospect of hackers exploiting its rootkits for their own purposes as an "academic" concern.

I guess it isn't so academic anymore.

Only slightly OT

[Nom+du+Keyboard]

It should be only slightly OT to ask:

1: Why are people celebrating victory because Sony announced they will remove the cloak, they're still leaving all the rest of the crap on your system - including the memory and cpu wasting scan that runs continually, even when you're not playing their DRM infested CD's.

2: Now that the cloak is removed, what was that registry key that keeps track of how many CD's you've burned under their DRM system?

3: Don't you think you're celebrating a bit early since Warden 2.0 should be able to use the same tricks as RootKitRevealer to diagnose your system? And how long will this take to appear?

4: If you detecting and removing this software from your computer violates the DMCA, then the DMCA is so cleary wrong that it should be repealed this afternoon.

5: Profit! Or in other words, who is profiting from this now? I don't see Sony going broke yet.

Next fun hack?

[Chordonblue]

Try and get Sony's DRM to interfere with DVD protection. RIAA Vs. MPAA... FIGHT!

Two Great Tastes!

[blueZhift]

This reminds me of the old Reeses commercials...

Sony: Hey! Your spyware's in my rootkit!

Blizzard: Your rootkit's in my spyware!

User (taking a bite): Mmmm, now that's good computing! So liberating...

Announcer Don Pardo: Two great tastes that go together.

This is silly

[Locke2005]

Much as I detest the Sony DRM, this is not a valid criticism of it. Anybody wanting to implement cheats will just use the same method as the Sony DRM directly to hide the cheats, not rely on the Sony DRM having been installed first! This is a flaw in Warden that is independent of the fact that the Sony DRM is a bad thing. It also points out the flaw in the anti-cheat arms race -- since you don't own your customer's machines, any anti-cheating technology you deploy can be quickly circumvented by determined individuals.