Slashdot Mirror

← Back to Stories (view on slashdot.org)

The State of Security in MMORPGs

Posted by ryuzaki0 on from the i'm-in-your-machine-pwnzing-yer-gldz dept.

Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."

6 of 288 comments (clear)

  1. Re:My personal feelings.. by Pojut · · Score: 4, Interesting

    This is one of the primary reasons why I like Guild Wars so much. I was a WoW junkie for about a year and a half straight (played in the closed and open betas, bought the game on release day). Switched over to Guild Wars.

    See, with WoW, since I was paying for it, I felt obligated to play it over other games...as a result, I missed out on a LOT of games when they came out. With Guild Wars, however, since there is no monthly fee, I'll log in for a couple hours here, a couple hours there...maybe a grand total of 5-7 hours a week out of my 25-30 hours a week spent playing video games. Since I'm not paying a monthly fee, I feel less like I HAVE to play it and more like I WANT to play it...WoW is a better game IMO, but I like not having that "second-job" feeling.

    --
    Living With a Nerd
  2. Re:rootkit-like? by RichMan · · Score: 5, Interesting

    Blizzard has a cheat monitor process calls the Warden which scans the active process list for known cheat programs. Hiding from a process scanner is "rootkit-like". It is indeed a war zone out there. I wonder if these guys ever play core-wars.

    http://en.wikipedia.org/wiki/Warden_(software)

    --
    Warden (also known as Warden Client) is an anti-cheating tool integrated in Blizzard Entertainment games such as Diablo II, StarCraft (since patch 1.15), and most notably World of Warcraft. While the game is running, Warden uses API function calls to collect data on open programs on the user's computer and sends it back to Blizzard servers as hash values to be compared to those of known cheating programs.[1] Privacy advocates consider the program to be spyware.[2]
    --

  3. Re:rootkit-like? by Anonymous Coward · · Score: 4, Interesting

    No, it means literally what it says. Rootkit-like techniques to evade detection; specifically, process stealthing.

    Because, for example, Blizzard's polymorphic anti-cheat "Warden" tries to scan process lists, the memory space of other processes, window titles - and, if they want, your filesystem - and because it can be updated at any time, if you want to spend any serious time looking at the game in that way, one of the very first things you're going to need is a good stealth driver to pull the wool over its eyes.

    It shouldn't be that difficult, you'd think. Both Inner Space and Glider, for example, have modules to do just that, and they're running a kernel mode driver which Warden doesn't have the advantage of, but even so, the stealth is woefully incomplete which is one reason people get massbanned.

    Of course the other reason is that bots tend to look rather obvious to any other player, and get reported. The challenge there is to build a better bot, (but since there's chat involved in the game, you'd better get ready for a Turing test; since that isn't an option, discretion is the better part of valour).

  4. Re:My personal feelings.. by qortra · · Score: 4, Interesting

    I think you're absolutely right about this. I always dreamed of an MMO that was more focus on player-skill/ingenuity than on the amount of time invested in the particular player. Such a game should passively improve the real-human player by giving him more experience with the gaming system, rather than improving the virtual character by giving him arbitrary levels/gear/money. Such a game would be naturally resistive to exploits and cheats. I would apply the following test to an MMO to see if it meets this qualification;

    Take a player who has played the game for a while, is skilled at the game, and is very successful at completing game objectives. Now, have that player start a new game with a brand new character. He should be able to be somewhat competitive with that new character - not nearly as strong without his old level or gear, but still competitive.

    Of course, there are plenty of caveats. First, I have had difficulty in imagining an RP system that would have such a large emphasis on creativity and intelligence. Second, it is unlikely that many people would actually have interest in such a game. Unfortunately, I think that most people actually like the grind; and even if they don't have the intellect to keep up in a real game, they can gain satisfaction from countless hours hording gear and currency.

  5. Interview with Sony Online Entertainment CEO by eepok · · Score: 4, Interesting

    Massively just did an interview with John Smedley and touched upon the issue of farmers/plat sellers and how they are using social hacking to bring in profits and hurt the company.

    Part 1: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-1/
    Part 2: http://www.massively.com/2008/01/14/a-ces-interview-with-soe-ceo-john-smedley-pt-2/

    SOE owns and operates Everquest, Everquest 2, Star Wars Galaxies, and other MMOs.

    I think the issue of farming is higher on the radar now than it ever has been. The behinds the scenes things are really frustration. A lot of these farmers are essentially stealing from us. What they do is they charge us back all the time. They use a credit card -sometimes stolen, sometimes not - to buy an account key. They use the account for a month, and then they call the credit card company and charge it back. We have suffered nearly a million dollars just in fines over the past six months; it's getting extremely expensive for us. What's happening is that when they do this all the time, the credit card companies come back to us and say "You have a higher than normal chargeback rate, therefore we'll charge you fines on top of that."

  6. Cheating in online games by mabu · · Score: 5, Interesting

    I was a GM in Everquest for several years. I could chime in on my experience, which mostly related to scouting out in-game cheating. We were trained to look for signs of more elaborate types of cheats and report them higher up in the chain.

    In most of these games, the main thing wasn't really "cheating" as much as it was "exploiting" flaws of characteristics of the game's design. On some maps it was possible to "fall through the world" and people could effectively position themselves so they could attack monsters but the monsters could not attack them. This was also accomplished by using creative means to get on top of structures in the game geometry that the designers had never intended to be accessible. There were places for example, where we'd often find PCs on roofs in hostile towns attacking high-level NPCs and due to the pathing, were able to not be counter-attacked. There was a constant cat-and-mouse game trying to find out how they were pulling these things off. It was more interesting than annoying usually. I was always impressed by some of the creative ways people would try to give themselves an advantage.

    Midway into EQ's popularity a number of software programs started to appear. These really blew the lid off the game's integrity. I forget the name of this one utility, but it was a utility that managed to decrypt the game stream, and due to the way the game was designed, when you entered a zone, this program could identify the coordinates of and nature of every NPC and PC in a certain range. SOE's game design, which often sent more info to the client than the client needed to make available to the user, created a situation where once someone decrypted the data, they had access to what was going on. Suddenly rare NPCs were being killed within minutes of appearing, and when a GM appeared in a zone to investigate, the perps knew instantly we were there and would logoff. Again, a cat-and-mouse game erupted where the developers started routinely changing the game's encryption and eventually they curtailed much of this behavior and made it too difficult to use the software. But at its heyday, the cheats were quite impressed. You'd have your main game client, and then you'd have a second computer sniffing the traffic, decoding it and displaying a real-time map of all PCs and NPCs in the zone. Very high-tech. Also very difficult to catch. Since the cheat program wasn't even on the same PC, programs like WoW's "Warden" wouldn't help. The only way you could identify someone cheating was to watch their in-game behavior. When you'd see PCs make a beeline for a rare NPC within seconds of it spawning, you knew something was up.

    Last but not least, in these games, the servers log just about everything. If they want to catch a cheater, the behavior is quite easy to spot. I think the biggest issue with security in MMORPGS isn't being able to catch people cheating, it's trying to figure out how to keep the proper balance between game integrity and profitability. Probably 90% of people playing MMORPGs have broke rules and most of this behavior is on file. The companies cannot afford to take too hard a stance unless the transgressions are creating big problems.