4.5 Million Copies of EULA-Compliant Spyware
#1
--> Clicky!

Quote:4.5 million copies of EULA-compliant spyware
Oct 05 2005, 23:07 (UTC+0)

hoglund writes:

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

-Greg
"Man only plays when in the full meaning of the word he is a man, and he is only completely a man when he plays." -- Friedrich von Schiller
Reply
#2
nobbie,Oct 12 2005, 07:48 AM Wrote:--> Clicky!
[right][snapback]91782[/snapback][/right]
Under US law (unfortunately) not only is this behavior legal, but since it can be considered a security feature it's use is protected and the information published in this blog is actually actionable.

Under DMCA, Blizz can actually sue this guy for telling people about their spyware.
Reply
#3
savaughn,Oct 12 2005, 03:33 PM Wrote:Under US law (unfortunately) not only is this behavior legal, but since it can be considered a security feature it's use is protected and the information published in this blog is actually actionable.

Under DMCA, Blizz can actually sue this guy for telling people about their spyware.
[right][snapback]91784[/snapback][/right]
That's why I've provided a quote of the blog text ;)
"Man only plays when in the full meaning of the word he is a man, and he is only completely a man when he plays." -- Friedrich von Schiller
Reply
#4
1) This started back with 1.6 or longer ago. Blizzard even already responded to it.

2) You notice a key component missing in his whole thread? Info transmitted back to Blizzard. "Warden" knows just as much about you as Windows does, likewise Blizzard is receiving as little of that info as Microsoft does.

3) Went digging deeper, and he originally posted this to a wow hacker forum. His blog post doesn't detail his entire research. Namely, the point of this research was why were people still banned when they installed a "blocker" for Warden. The first conclusion was that there may be different versions of Warden at any time, and it can also be updated at any time, causing their blocker to fail. The second conclusion was that their future open source cheats will nearly prevent the Warden from detection since self-compiled versions will come out differently. That is, of course, if you know how to compile software yourself and don't share it with anyone else.

Oh, yeah:
Quote:WHEN RUNNING, THE WORLD OF WARCRAFT CLIENT MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) AND/OR CPU PROCESSES FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH WORLD OF WARCRAFT. AN "UNAUTHORIZED THIRD PARTY PROGRAM" AS USED HEREIN SHALL BE DEFINED AS ANY THIRD PARTY SOFTWARE, INCLUDING WITHOUT LIMITATION ANY "ADDON" OR "MOD," THAT IN BLIZZARD ENTERTAINMENT'S SOLE DETERMINATION: (i) ENABLES OR FACILITATES CHEATING OF ANY TYPE; (ii) ALLOWS USERS TO MODIFY OR HACK THE WORLD OF WARCRAFT INTERFACE, ENVIRONMENT, AND/OR EXPERIENCE IN ANY WAY NOT EXPRESSLY AUTHORIZED BY BLIZZARD ENTERTAINMENT; OR (iii) INTERCEPTS, "MINES," OR OTHERWISE COLLECTS INFORMATION FROM OR THROUGH WORLD OF WARCRAFT. IN THE EVENT THAT WORLD OF WARCRAFT DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, BLIZZARD MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD ENTERTAINMENT, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED; AND/OR (B) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER SECTION 6 OF THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER.

So this is Blizzard following up on what you agreed to when you started playing.
Trade yourself in for the perfect one. No one needs to know that you feel you've been ruined!
Reply
#5
Besides, who runs Quickbooks when precious memory is needed to run WOW. :D Don't want snooping when WOW is running, then close your apps and sensitive browser windows. Typically, when I run WOW, only Teamspeak and a Browser window to Thottbot, or the Lounge are open.
”There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy." - Hamlet (1.5.167-8), Hamlet to Horatio.

[Image: yVR5oE.png][Image: VKQ0KLG.png]

Reply
#6
kandrathe,Oct 12 2005, 10:58 AM Wrote:Besides, who runs Quickbooks when precious memory is needed to run WOW.  :D  Don't want snooping when WOW is running, then close your apps and sensitive browser windows.  Typically, when I run WOW, only Teamspeak and a Browser window to Thottbot, or the Lounge are open.
[right][snapback]91801[/snapback][/right]
See, that's so weird. I always like to have an open browser window to my bank account, my PayPal account open, my IRS tax info up, and a document open that uses my WoW password as the filename.

I thought everybody did that...?
Reply
#7
Maybe I'm naive... but I don't care.

I really don't care if Blizzard knows who I'm talking to on MSN, AIM, or ICQ. I don't care if they know where I'm shopping, or which web site I'm looking at while I'm making a long hippogryph flight.

Privacy and freedom are at one end of a sliding scale, with security at the other end. In a game where so many internet jerks are going to try and cheat any way they can, I'll gladly let the slider go more towards security.

Just means I can't do any work on where to stash the bodies while I"m playing WoW. *shrugs*
See you in Town,
-Z
Reply
#8
Zarathustra,Oct 14 2005, 10:10 AM Wrote:Privacy and freedom are at one end of a sliding scale, with security at the other end.  In a game where so many internet jerks are going to try and cheat any way they can, I'll gladly let the slider go more towards security.
[right][snapback]92102[/snapback][/right]


Somewhat true, I mean we're already trusting them with our credit card info and address, right?
Conc / Concillian -- Vintage player of many games. Deadly leader of the All Pally Team (or was it Death leader?)
Terenas WoW player... while we waited for Diablo III.
And it came... and it went... and I played Hearthstone longer than Diablo III.
Reply
#9
Concillian,Oct 14 2005, 11:19 AM Wrote:Somewhat true, I mean we're already trusting them with our credit card info and address, right?

I gave them a fake address. I don't want them to know where I hid the bodies.
Reply
#10
MongoJerry,Oct 14 2005, 04:40 PM Wrote:I gave them a fake address.  I don't want them to know where I hid the bodies.
[right][snapback]92145[/snapback][/right]

I use an enzyme composite. I just flush the remaining fluid down the toilet. No body-hiding hassle that way.
ArrayPaladins were not meant to sit in the back of the raid staring at health bars all day, spamming heals and listening to eight different classes whine about buffs.[/quote]
The original Heavy Metal Cow™. USDA inspected, FDA approved.
Reply
#11
Well, Blizzard/Vivendi have just won this year's "Big Brother Award":

http://www.heise.de/newsticker/meldung/65374
(Article requires German language knowledge)

Congratulations! ;)
"Man only plays when in the full meaning of the word he is a man, and he is only completely a man when he plays." -- Friedrich von Schiller
Reply
#12
MongoJerry,Oct 14 2005, 08:40 PM Wrote:I don't want them to know where I hid the bodies.
[right][snapback]92145[/snapback][/right]
I do, I'm looking for a good spot to dump a few troublesome corpses.

Edit: Ya rly, I do post odd things when I know my 'net usage is being monitored :P

Edit2: Amusingly, as soon as I posted that edit, the lady in charge of this entire operation called the IT guy into the server office <_<
When in mortal danger,
When beset by doubt,
Run in little circles,
Wave your arms and shout.

BattleTag: Schrau#2386
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)