Holy Spyware Blizzard!

[Lord Ser Brightblade]

Devising a method to check for EULA violations is one thing but this goes above and beyond that and in the wrrong hands could spell disaster for people. Imagine someone creating something which hijacks information being read by this little client known as warden. I had been thinking about getting WoW. This article helped me decide its just not worth it especially since this client was probably installed unknowingly and without knowledge of just how far reaching its "browsing" features go by the majority of WoW players.

4.5 million copies of EULA-compliant spyware

Oct 05 2005, 23:07 (UTC+0)

hoglund writes:

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

[Rusty]

That is very messed up but from a legal standpoint I'm sure they covered their butts somehow like writing it into one of the disclaimers that im sure most of us just accept and dont read but knowing this would definantly make me think twice about ever playing WoW.

[Lord Ser Brightblade]

That is very messed up but from a legal standpoint I'm sure they covered their butts somehow like writing it into one of the disclaimers that im sure most of us just accept and dont read but knowing this would definantly make me think twice about ever playing WoW.

<{POST_SNAPBACK}>

It's still legal to duel someone in the Boston Commons as long as you extend an invitation to the goveror does that make it right?

[Rusty]

No not at all I agree it is not right i was just stating that because they are the bigger power they have the lawyers that can make it ok and make it so that the little guy doesnt have a say about it.

[Guest Guest]

Well, intersting....

Where is this article from? Who wrote it and why? If this is so, why isnt there a huge uproar in the 4.5 million+ person community? I personally am holding judgment untill i know more.

[Volonazra]

Dat waz me.

[Balandar]

Does it send everything, or only what it thinks might be a hack/cheat.

[Sei Teirson]

From what I am reading it sends all information that it reads to check the 'compliance' of the program (or file) in use. This means that all the information is sent to there servers to be cross referenced with there list of 'banable' code that they might pick up. If this was client based it would be too easily bypassed, from the only logical prospective all the information devoured by this 'warden' ould ahve to be sent to their servers. I agree with you Ser, this completely destroys all faith with blizzard. I just cant believe that people that know about this are still playing. /shrug up to them I guess.

-----------------------------------------------------------------------------

p.s. I edit too much, I need to read a dictionary or Bal needs to put spell check in this thing lol

That being said, if you would like the code, I work at Careerbuilder.com and could probly get a hold of it farely easy

Edited October 19, 2005 by Sei Teirson

[Lord Ser Brightblade]

Does it send everything, or only what it thinks might be a hack/cheat.

<{POST_SNAPBACK}>

From what I read Sei seems to have summed it up pretty well. They may not use all the info they get but the ability to see all you are doing on your PC is very much there. How they can legally do this I dunno but for once I am glad I am not playing a game!

[Volonazra]

I think thi shas led to some unwarrented bannings. We had one person in Skullcrushers banned for running third person apps, when he wasnt. Many other such accounts of this too. I see the need to prevent hacking the game. But, not sure how I feel about this level of "detection" even though I dont run anything (except teamspeak) due to system load anyhow.

[Sei Teirson]

Just cant believe they are actually getting away with this, but if you click on that little "Accept" button you only screwed yourself lol.

[Balandar]

If you behave, then I guess you don't need to worry about it. The only thing they probably see me running is Norton antivirus, xfire, Norton firewall, Microsoft anti spyware, winamp, bluetooth software, fraps, sound blaster controls, ummm, coolios... that's about it.

I use my old computer for everything else. New one is only for work and games.