World of Warcraft's Brand New Rootkit

Captain Kirk writes "We all know that World of Warcraft has checked for hacks to ensure a safe game environment for all players. The latest version of these checks goes beyond anything seen so far in that what is being checked is now completely encrypted. Obviously this hits bot writers as can be seen from these complaints, But it also strikes at the privacy of all users. Now Blizzard has a tool that is encrypted and can run any type of scan, transfer any file or edit any document on your computer. That can't be right."

Re:Unbelivable

[daeg]

I canceled when they started adding things to their detection kit. When I saw it reading registry keys (regmon) it had NO business reading, I canceled. Did it need to read the activation keys for Windows? Absolutely not.

Re:Recommendation for online gaming

[ByOhTek]

wow works great in Wine.

use a very restricted account when running it in wine. Problem solved.

Re:Recommendation for online gaming

[ByOhTek]

Technically you don't need /any/ windows machines (WINE).

Of course, if you go that route, you only need one machine...

Re:What is worse?

[Cheesey]

Steam games have "Valve Anti-Cheat" (VAC), which is similar in principle to the Blizzard Warden. Other games use Punkbuster, which uses the same strategy to detect cheats. All of these programs scan your machine's memory and look for the signatures of known cheats. The mechanism used to carry out the scanning and report the results is deliberately obfuscated to make it difficult to reverse engineer the process and send fake results. All three of these programs are spyware. But you agree to the use of each within the EULA of whatever game you are playing.

Warden has always had the ability to be updated with arbitrary code as you play. The observations of this article are nothing new: Blizzard has always been able to access files on your computer, just by sending the appropriate program to Warden. It seems that they have recently been sending more complex programs, generated for each client, so the current generation of programs that spy on Warden no longer work. The arms race continues.

Re:How is this a root kit?

[ajs]

Does the thing hide itself? No.

Can't you just uninstall WoW? Sure.

Ya, you don't know what it is doing Actually you know pretty well what it's been doing because with minor refinements, it's been doing just about the same thing for 3 years.

I think this is just the cheaters getting their panties in a twist. Ding!

Especially because it means the end to a real source of income for those who harvest gold Gold harvesting is easy. What's hard is maintaining your account for more than a week once you start trying to sell it online. This is why the pro gold farmers/sellers are all using level 1 accounts. At level 1 gold farming is a bit more difficult, so they have to abuse the game in order to profit. This program detects that kind of abuse, and THAT is why they're upset.

You thought wrong.

[apankrat]

What you described is a backdoor.
Rootkit is an OS-level subversion program.
http://en.wikipedia.org/wiki/Rootkit

Re:Privacy?

[king-manic]

You've already given up your life when you start playing WoW. What do you have to keep private? No one must know iloveBoobs69 the smoking hot Night elf huntress is actually King-manic!

Re:This is a non-issue, as it stands

[ajs]

Smart people don't just throw caution to the wind and say "well, they already have avenues of attack, so I just won't prevent new ones from springing up". Ah... no.

No one is saying that. What we're saying is that Warden (what a horrible choice for a name) is that, in response to one specific "what if" question about some third party with access to your machine making Warden do something naughty, "if they have access to your machine, then the fact that they can modify Warden to do something naughty is moot... they can modify ANY program on your system to do something naughty."

Your straw man needs to go see the Wizard....

Re:This is a non-issue, as it stands

[VGPowerlord]

Since you mention a fear of such things, I would like to remind you that WoW itself runs with high privileges and receives commands from the Internet.

Unless WoW has some privilege escalator that I don't know about, I run World of Warcraft fine as a Limited User. The only thing I had to change was the permissions on the WTF directory so that addons could save information.

...and no, that's not a "what the f'?"

Re:Unbelivable

HKLM/Software/Microsoft/Windows/CurrentVersion/Run you mean? That's like looking in /etc/init.d Not serious, and to be expected by lots of software.

Reading your windows serial key is a no-no. The only reason I can guess they'd do it is as a unique identifier for computers to stop people just re-registering if they get banned for running a bot. I'm not sure Microsoft would be too happy about them doing that though.

Hooking keypresses wouldn't be done in the registry, it needs to be done during initialisation of the keylogger, there are API calls for it.

Re:Recommendation for online gaming

Wii's tools are actually reasonable compared to the prior consoles, and the 360's believe it or not are even better.

Wii is around $5k last I heard.
360 is around $100/yr if you want to put it on your box, otherwise it's free to write all the code and test on windows before you actually fork over the money to get it on the box.

I imagine the ps3 is somewhat reasonable too.