[Infowarrior] - WoW: 4.5 million copies of EULA-compliant spyware

[Richard Forno]

4.5 million copies of EULA-compliant spyware
Oct 06 2005, 05:07 (UTC+0)
hoglund writes:

http://www.rootkit.com/blog.php?newsid=358

I recently performed a rather long reversing session on a piece of  
software written by Blizzard Entertainment, yes - the ones who made  
Warcraft, and World of Warcraft (which has 4.5 million+ players now,  
apparently). This software is known as the 'warden client' - its  
written like shellcode in that it's position independant. It is  
downloaded on the fly from Blizzard's servers, and it runs about every  
15 seconds. It is one of the most interesting pieces of spyware to  
date, because it is designed only to verify compliance with a EULA/ 
TOS. Here is what it does, about every 15 seconds, to about 4.5  
million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads  
information from every DLL loaded in the 'world of warcraft'  
executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window  
text in the titlebar of every window. These are windows that are not  
in the WoW process, but any program running on your computer. Now a  
Big Deal.

I watched the warden sniff down the email addresses of people I was  
communicating with on MSN, the URL of several websites that I had open  
at the time, and the names of all my running programs, including those  
that were minimized or in the toolbar. These strings can easily  
contain social security numbers or credit card numbers, for example,  
if I have Microsoft Excel or Quickbooks open w/ my personal finances  
at the time.

Once these strings are obtained, they are passed through a hashing  
function and compared against a list of 'banning hashes' - if you  
match something in their list, I suspect you will get banned. For  
example, if you have a window titled 'WoW!Inmate' - regardless of what  
that window really does, it could result in a ban. If you can't  
believe it, make a dummy window that does nothing at all and name it  
this, then start WoW. It certainly will result in warden reporting you  
as a cheater. I really believe that reading these window titles  
violates privacy, considering window titles contain alot of personal  
data. But, we already know Blizzard Entertainment is fierce from a  
legal perspective. Look at what they have done to people who tried to  
make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each  
program is opened, warden then calls ReadProcessMemory and reads a  
series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range -  
this is the range that most executable programs on windows will place  
their code. Warden reads about 10-20 bytes for each test, and again  
hashes this and compares against a list of banning hashes. These tests  
are clearly designed to detect known 3rd party programs, such as  
wowglider and friends. Every process is read from in this way. I  
watched warden open my email program, and even my PGP key manager.  
Again, I feel this is a fairly severe violation of privacy, but what  
can you do? It would be very easy to devise a test where the warden  
clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of  
spyware. What is interesting about this is that it might be the first  
use of spyware to verify compliance with a EULA. I cannot imagine that  
such practices will be legal in the future, but right now in terms of  
law, this is the wild wild west. You can't blame Blizz for trying, as  
well as any other company, but this practice will have to stop if we  
have any hope of privacy. Agree w/ botting or game cheaters or not,  
this is a much larger issue called 'privacy' and Blizz has no right to  
be opening my excel or PGP programs, for whatever reason.

-Greg