The new book "Exploiting Online Games" by Greg Hoglund and Gary McGraw explains how cheaters are winning at online role-playing games such as World of Warcraft where millions of players compete in the virtual world to win battles or treasure that is sometimes later sold to avid game players for real money.
McGraw, CTO at software security company Cigital, discussed the book with Ellen Messmer, explaining how cheaters can use specialized "bots" that manipulate online gaming activity to their advantage.
Why this topic?
Greg outed the fact that World of Warcraft was using spyware to spy on gamers; a program we wrote watches this spyware. We're not publishing a guide to how to attack online games. But there's a ton of code out there for that. We focused on World of Warcraft -- it's usually called WOW -- because it represents 53 percent of the market and is used by millions. Some games provide scripting languages that let you write simple scripts, like casting a spell. There are scripting engines released by hobbyists. But in most games, it's cheating. In chapter two, we describe some of these tools available from the Internet. Blizzard Entertainment [which operates World of Warcraft] found out about them and disallowed them in their end-user licensing agreement [EULA]. They'll try to catch you with the 'Warden' spyware they installed. We wrote a program called 'Governor' watching it watching you.
So maybe WOW will catch this cheating but maybe not?
You'd want an undetectable bot system, and we have an undetectable bot system in Chapters 6 and 7 where we describe techniques for building a bot that attaches to a game program the way a de-bugger attaches. There's another technique we briefly describe in "Advanced Bot Topics" starting on page 228. This has been tested. Greg is a subscriber to WOW. He's had many characters banned.
Does WOW know this book is out?
We had to get permission from WOW to use the screen dumps. They're not angrily calling us up.
So tell us a little about how WOW works technically.
It's an Internet-based client/server model. You get the World of Warcraft program to run on a PC. It displays a graphical-user interface that talks to the Blizzard server constantly. It might be the world's largest distributed system. The problem from the technical perspective is the program and the universe of the game have the property of state. If you want to give information about the World, you can't update clients with all that information. You give them pieces of that information. World of Warcraft keeps track of where your character is by giving you 3-D coordinates. If you figure out where those coordinates are stored, you can teleport it, something that's easy to do. The technique is called ping-ponging. You can use it to gain advantage in a fight. Are you supposed to do it? No. it's a problem of the state.