
Guild Wars 2 distributed spyware in order to detect cheaters - flowergrass
https://www.reddit.com/r/Guildwars2/comments/8c2j0y/a_technical_analysis_of_the_spyware_arena_used/
======
zamalek
_> They will then deobfuscate two strings that they use together with
LoadLibrary and GetProcAddress to obtain the address of the
QueryFullProcessImageName function from the Windows kernel32.dll library. You
can already kind of see where this is going._

The wordiness and begging the question is highly suspect. Any [Windows]
developer who reads this should know how to enumerate processes, find their
binaries and hash them (without having to "deobfuscate" and other scary words
for non-technicals).

No working set information is included in the hash (not that it would be much
use) and so the leakage of information here is extremely low. The author then
complains about the hashes being sent over an "insecure protocol" but,
suddenly, all information regarding which protocol is missing - that would
have been genuinely useful to know (unlike the prior wordiness).

 _> It most certainly will be problematic once the GDPR gets into effect and
Arena will definitely get a data request from me so I obtain a list of all
data they have about me and my account._

The disclosed information cannot be used to identify you as a natural person.

This just sounds like someone who got caught and is trying to avoid
responsibility.

~~~
18pfsmt
I'm not a gamer at all, so this would normally escape my view, and I don't
know if what you say is true and I can't evaluate yet.

But, to me, it sounds like you are saying this potential bad actor is
intending to use the GDPR to determine the 'secret sauce' used to detect bad
actors?

In other words, "Be transparent in your evaluation methods!" with the subtext
of, "then I can subvert them."

~~~
zamalek
That's one thing I hadn't considered. Pretty clever, almost like an oracle
attack.

What I'm saying is much simpler. Cheaters are a very interesting crowd. In
first person shooter games it's absolutely possible to dominate cheaters
(because cheats only help with raw mechanical skill, not strategy or tactics)
and the cheaters will often be the first to complain about cheaters when you
kill them. Despite their unfair advantage, they lash out when things don't go
their way - which seems to be happening here: they truly believe that they are
above reprimand and that Anet must be punished for reprimanding them. The
threat of GDPR is being used for this. In the broad category of shifting
blame, it's very _very_ consistent behavior and would probably make for a
fascinating study.

There is always a chance that the author is being honest (having cheated in
other games, but never GW2) but it's slim. I have my doubts as to whether GDPR
would cover this (as it cannot be used to identify a natural person), but
IANAL.

~~~
x0x0
So, the GDPR actually says two things

\- personal data is any data about a person which could, _in combination with
other data that you may not have_ , identify a person. That's much broader
than your definition. In this case, I think the claim would be that if you
knew all programs installed by a person, you could figure out who that person
is. It's still probably a stretch. It's good that they prevented themselves
from knowing what the program is, because that could sweep up health data. ie
imagine they knew you were running a blood sugar tracking program, they could
infer you had diabetes. Health data is in a heightened protection class under
the GDPR.

\- The game would still have to service data requests, ie give me all your
data about me.

------
r1ch
This kind of behaviour is very standard in the anti cheating world. Some go
much further like inspecting the Windows DNS cache for evidence of cheat
servers. Calling this spyware is rather misleading.

Cloud based antivirus services are even worse in this regard.

~~~
serf
>Calling this spyware is rather misleading.

No, it's clearly spyware. They are enumerating lists of software loaded on
client computers without explicit permission other than what's granted broadly
in their ToS/EULA, and without speaking of the feature.

The component got removed right after their use of it -- indicating either
sneakiness or internal qualms about the use of such methods -- and if one
believes the guilty , it affected legitimate users, too.

>Some go much further like inspecting the Windows DNS cache...

Why is looking at DNS caches 'going further' than enumerating all software
into hashes for remote analysis? DNS might have more embarrassing shit to
expose on a personal level, but generally a glimpse into installed software is
much more _exclusive /rare/uncommon_ . DNS gets' discussed between your
machine and a million others down the line; it hasn't been considered very
private for some time now.

------
madrox
Bruce Schneier has also written on this with Blizzard:
[https://www.schneier.com/blog/archives/2005/10/blizzard_ente...](https://www.schneier.com/blog/archives/2005/10/blizzard_entert.html)

It's not a new topic, and not one with great answers. On the one hand, any PC
gamer knows cheaters ruin multiplayer games, and developers need to
participate in the cheat/anti-cheat arms race to ensure the integrity of
competitive play. On the other, it's the definition of spyware.

Unfortunately, the state of the art answer is "if you don't like it, you don't
have to play the game." It will be interesting to see how this plays into the
inevitable changes to law that will happen.

------
neuronflux
This is similar to what competitive Counter Strike has become. Even though
Valve has been talking about some interesting anit-cheat methods [1], third
party matchmaking services rely on such client software to try to combat
cheaters [2].

[1] [https://www.pcgamer.com/vacnet-csgo/](https://www.pcgamer.com/vacnet-
csgo/)

[2] [https://www.faceit.com/en/anti-cheat](https://www.faceit.com/en/anti-
cheat)

~~~
dvlsg
Might be worth noting that one of those third party matchmaking services
(ESEA) deployed a bitcoin miner along with their client not that long ago.
Caused a huge uproar.

~~~
greenknight
IIRC it was in early 2013, so 5 years ago? CS GO was only released 6 or so
months before hand.

People still bring it up, but no way would they pull that move again.

~~~
dvlsg
True. Hard to believe that was already 5 years ago, but I think you're right.
I was pretty furious at the time. I also seem to remember that ESEA got hit
with _super_ heavy fines for way more than they ended up earning in bitcoin.
Probably a fairly strong deterrent.

------
preinheimer
As our operating systems become more and more security conscious, I'd expect
the ability to iterate other processes on the machine to go away.

When I've installed ethereal/wireshark I've needed to face down big warnings,
and properly so. A promiscuous packet sniffer is something to be wary of.

With few exceptions[1] there seems to be no good reason for any application on
my machine to see what else is running.

[1] - Good candidates include Anti-virus for those who run it, and those tools
that help you keep your applications up to date.

~~~
bartread
Don't forget sysinternals, and the like for other platforms. Also debugging,
profiling and monitoring tools. Granted this is a very developer/admin
focussed perspective, but they're still valid use cases.

------
alehul
The response from Arenanet [1] is noteworthy, as they specifically gave a list
of programs that they banned for. If they weren't spying on the programs users
have running, I'd expect them to ban on less specific factors than exactly
this list of five programs.

[1] [https://en-
forum.guildwars2.com/discussion/comment/476255/#C...](https://en-
forum.guildwars2.com/discussion/comment/476255/#Comment_476255)

~~~
stordoff
It's an interesting response because it shows that not only were they tracking
program usage over a period of time ("significant number of hours during a
multi-week period earlier this year"), but _also_ shows that they quite
possibly could have banned people who _weren't_ cheating ("We targeted
programs that allow players to cheat and gain unfair gameplay advantages, even
if those programs have other, more benign uses."). I use Cheat Engine all the
time to mess around in single player games, and quite often leave it running
in the background or forget to close it -- that in no way means I'm cheating
at other types of games. Further, it's just a memory editor -- unless GW2 is
trusting the client where it shouldn't, would it even work on an MMO?

~~~
Evansbee
> would it even work on an MMO?

CheatEngine is a great first step in developing any bot, for any game.

GW2 doesn't have to trust the client for CE to be useful, it's just that the
usefulness is different than what you're using it for currently. The goal of
CE in developing an MMO bot is to figure out where in memory things like
player location, party members, linked list of all nearby objects, etc, are.
This allows the user to write the bot in a way that's pulling information
directly from memory. CE is a great way to back into this data (coupled with a
debugger/disassemble, of course).

~~~
krispbyte
What's fun is that GW2 even gives you an API you can use to get information
like player location. Used it a few years ago to automatically switch maps in
my map event timer:

[https://wiki.guildwars2.com/wiki/API:MumbleLink](https://wiki.guildwars2.com/wiki/API:MumbleLink)

------
Raphmedia
That's a shame.

I liked how GW2 was free forever after the initial purchase. I would come back
every now and then to check out the new content.

Sadly, I don't keep any spyware on my computer. No exception. Even if I love
the game, that's an instant uninstall for me.

~~~
jamesgeck0
For consistency, you should uninstall Steam VAC and Battle.net games. I'm
pretty sure Fortnite and League of Legends also do something similar.

~~~
Raphmedia
Steam is a game library manager. It manages all 300+ games that I have
purchased. I expect it to be scanning my computer entire computer.

They even told me so when I installed it:
[https://support.steampowered.com/kb_article.php?ref=7849-RAD...](https://support.steampowered.com/kb_article.php?ref=7849-RADZ-6869)

This is not spyware, this is a platform I chose out of trust.

Guild War 2's spyware is exactly that, a spyware. I never agreed to it, or if
I did it was out of some legal black pattern.

~~~
nickspacek
While I understand this sentiment, I think saying that you expect it to be
scanning your entire computer is a bit of hyperbole. You expect it to be
scanning your temporary internet files? Or DNS cache? Or your personal
documents and pictures? I would expect those to be off-limits to a game
library manager.

If you are saying that Steam was very upfront with its anti-cheat measures and
that you agreed to it then so be it.

~~~
Raphmedia
Steam provides a platform for a lot of developers and allows them to leverage
the VAC. It's existence is improving our privacy. Instead of having each
individual games try and scan our computers, they can call the VAC and request
for the status of users.[1] When a game has a third party anti-cheat system,
you can often choose to opt-out on install/launch and it simply cuts off
online features.

This is one of the multiple reasons I don't mind Steam's scans. They are doing
it on the behalf of thousands of games.

When people are worried about their privacy due to the VAC, they are quick to
respond. Even better, they don't simply throw a legal team at the community
but take the time to address fears and trust issues. [2]

I am not saying that Valve is perfect. They might mess up in the future. But
so far, they have yet to _breach my trust_.

[1]
[https://partner.steamgames.com/doc/features/anticheat/vac_in...](https://partner.steamgames.com/doc/features/anticheat/vac_integration)

[2]
[https://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_an...](https://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/)

------
ggggtez
So, guy who admits to cheating, gets banned for cheating. I don't think it's
particularly interesting that he claims he only cheated in other games, and
never Gw2.

~~~
sgift
I have a really hard time equating botting with cheating. I don't do it
myself, but in my opinion if your game can be botted you botched your game
design. Also, MMO cheating implies for me some damage to other players which I
don't see either with botting.

Anyway: Whether he botted or not is not the point of the thread. Even if
everyone they caught would have cheated (according to their and your
definition) that's still a pretty significant privacy intrusion from ArenaNet.

~~~
pvg
_MMO cheating implies for me some damage to other players which I don 't see
either with botting._

The more you participate, the more stuff you get (for various values of
'stuff') is the central design conceit of just about all MMOs. Breaking it is
one of the most drastic and damaging ways to cheat.

~~~
freehunter
Agreed. And GW2, like other MMOs, has a trading post where players can sell to
other players. If you're cheating, you can crash the in-game economy which
certainly does have an impact on other players.

------
hungerstrike
Hasn’t anybody invented a cheating method that uses a separate computer which
looks at the target computer screen through a camera and provides mouse and
keyboard input through USB?

Something like this could probably be built with a Raspberry Pi and some image
pattern-matching software. If you just wanted to record some statistics in
order to give an edge in certain games, you could probably build a phone app
to watch you play.

~~~
Strom
Sure, systems like this have been used at least 15 years by online poker bots.
Poker software has some of the strongest anti-cheat systems in the world. The
arms race didn't stop there, I know PokerStars moved on to behavior modeling
about a decade ago. Now with machine learning being mainstream, mainstream
games are starting to do behavior modeling as well. [1][2]

However most games either don't have any anticheats at all, or have very
limited ones. Specifically you can run most games under a normal user and run
the cheat under an administrator user. Let Windows help hide it.

\--

[1] Valve has used deep learning for CSGO [https://www.pcgamer.com/vacnet-
csgo/](https://www.pcgamer.com/vacnet-csgo/)

[2] Third parties have done work for Dota 2, with hints of official Valve
variants coming as well
[https://www.reddit.com/r/DotA2/comments/8816oh/12_of_all_mat...](https://www.reddit.com/r/DotA2/comments/8816oh/12_of_all_matches_are_played_with_cheats_check/)

------
j-c-hewitt
Isn't this exactly like Blizzard's Warden? Things like this are sort of
necessary to police a large scale game because of how damaging cheating can be
to the integrity of the game. You give informed consent by continuing to play.

~~~
dylz
[NB: this leads into it because GW2/Arenanet is a subsidiary of NCSOFT, a
Korean company; NCSOFT uses all this stuff on all their games too]

Virtually every single multiplayer/MMO-like game does this. All of Asia does
it - every country there, for instance, and a lot more invasively and
insecurely.

Hackshield and XIGNCODE outright read through your process memory for content
and keyword searches, not just hash matching - I've been issued bans for
browsing security forums because of a freetext process title match in Firefox.

Gameguard, hackshield, xigncode (all 3 are Korean) send data insecurely,
unsigned, over plaintext HTTP including PII across the public internet, run
boot-mode driver rootkits, and are leaps and bounds worse than anything like
Warden. They are also insecure and provide holes for actual malware to hide in
with their awful client side rootkit process/file-hiding hooks.

League of Legends, for instance, runs outside of Asia perfectly fine, with a
reasonable anticheat that detects its own processes being screwed with, not
very invasive, not insane.

In League of Legends Korea, a Korean company basically installs one of these
invasive rootkits - and even requires browser plugins to log in.[0] The
founder of that company previously run for president in Korea and have
virtually a monopoly on this crap. Some of it is required by local law.

[0]
[http://static.leagueoflegends.co.kr/common/js/aosmgr_common....](http://static.leagueoflegends.co.kr/common/js/aosmgr_common.js)
\- note the plaintext http everything too

~~~
SimbaOnSteroids
Riot KR is really bad. Idk if its a KR thing or if its isolated to Riot, but
being in that community for the better part of 6 years now, the horror stories
of the shenanigans that Riot KR pulls are notorious. Recently they banned a
popular western streamer for criticizing them.

~~~
dylz
KR is ..KR. The people are nice, but the aggregate culture and laws are
interesting.

They are equally bad in other companies, other games. For some reason they are
horrifically toxic even when publishing a completely Western made game.

Of course, it's incredibly difficult to impossible to "run a game" from
outside the country, their structure effectively forces you to open a
subsidiary or separate company inside the country and give up control / be
subject to those laws.

------
digi_owl
Hmm, i recall reading something similar about Steam's VAC.

Simply having Cheat Engine running is enough for VAC To flag you and lock you
out of any multiplayer via Steam.

Used to play GW2 quite actively until they released their first expansion, as
i got kinda tired of their "episode" cadence and that future "episodes" would
require the expansion.

------
juskrey
Having worked in the similar industry ~10 years ago, with all of the debug
tools installed in the system, even then I have had a separate Windows
bootable system for gaming, since nearly all of the protected games were
interfering with debugging tools in different ways.

So pretty strange author is surprised by that.

------
aecorredor
This game and arenanet have always been pretty shady either way. I noticed
that when a couple of years ago I bought power leveling and got a maxed level
character in less than 6 hours. I wouldn’t be surprised that this is done by
people from arenanet. So, the news about them using spyware to ban bots is
kind of expected I guess? So people keep buying powerleveling.

~~~
freehunter
I've been playing Guild Wars since 2005 and can tell you, there is nothing
shady about the game or ArenaNet. And the idea that they are powerleveling
characters and selling them to you is ridiculous. This is a competitive game.
They care if you're cheating, they don't care what level your character is.
Hell in the original GW you could make a character at the max level without
that character hitting the story at all. In GW2 you can buy a max-level
character right from the game.

What they care about is if you're cheating to get max-tier weapons/armor and
if you're cheating in the PvP tournaments.

------
fatal1ty420
There are two issues here.

\- First, the spyware angle. The software actively spied on the user and sent
back everything. No other anti-cheat does this and no company ever betrayed
users like this. (Except for ESEA who implemented a bitcoin miner in their
client at some point. And yes, people including me remember.)

\- The fact that people got banned for not even cheating! This is the
ridiculous part. First, ArenaNet or Guild Wars 2 has NO RIGHTS to ban users
for cheating in any other title. Valve has no right to ban me, because I
install a mod for GTA V. Blizzard cannot ban me, because I use a trainer for
FFXV.

Second. Other companies like Evenbalance makes sure there is a valid
signature, and they even do screenshots, etc. It's not just a blind ban
"because I think so".

I hope, some at least, see the pattern/point here. Third. I, for example, had
MMOMinion's framework installed, and of course, I may have launched it by
mistake, I cannot remember. It was pinned in my start menu but I have not used
it in a year or so. I did NOT have the bots installed for either GW2 and FFXIV
- so the program by itself had zero capability to even attach a cheat.

So basically, I had zero cheats installed, but had a software that COULD BE
used for cheats. This is beyond ridiculous. It's like banning everyone for
using Windows, because Windows is capable of running cheats. This is just
utter nonsense, there are no words to describe such level of stupidity.

\- To top this all off, Anet still did not post anything, still have not
accepted that they just pulled a huge blunder. Their "chief of security" (some
weaboo with "excellent skills" as he has just demonstrated) should have been
apologizing ever since the spyware was found. But no, to hell with that. Their
only response is "you accepted the eula."

tl;dr: The bans are false positive. Lots of them. It's a messed up ban, it
should not have stayed active, it should have been reverted a long time ago
until they come up with a better solution.

------
Jazgot
It's very hard to call this spyware.

~~~
larkeith
It's transmitting a trivially-decoded schedule of what processes you have
running when, without your consent - in what universe is this _not_ spyware?

~~~
Groxx
(sarcastic, but not completely) when you paid for it.

