Hacking World of Warcraft: An Exercise in Advanced Rootkit Design presented at BlackhatUSA 2006

by Greg Hoglund,

Summary : Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtualit exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden".
In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable.