The new book “Exploiting Online Games” by Greg Hoglund and Gary McGraw explains how cheaters are winning at online role-playing games such as World of Warcraft where millions of players compete in the virtual world to win battles or treasure that is sometimes later sold to avid game players for real money.

Click to see: Book cover

McGraw, CTO at software security company Cigital, discussed the book with Network World Senior Editor Ellen Messmer, explaining how cheaters can use specialized “bots” that manipulate online gaming activity to their advantage.

Why this topic?

Greg outed the fact that World of Warcraft was using spyware to spy on gamers; a program we wrote watches this spyware. We’re not publishing a guide to how to attack online games. But there’s a ton of code out there for that. We focused on World of Warcraft — it’s usually called WOW — because it represents 53% of the market and is used by millions. Some games provide scripting languages that let you write simple scripts, like casting a spell. There are scripting engines released by hobbyists. But in most games, it’s cheating. In chapter two, we describe some of these tools available from the Internet. Blizzard Entertainment [which operates World of Warcraft] found out about them and disallowed them in their end-user licensing agreement [EULA]. They’ll try to catch you with the ‘Warden’ spyware they installed. We wrote a program called ‘Governor’ watching it watching you.

So maybe WOW will catch this cheating but maybe not?

You’d want an undetectable bot system, and we have an undetectable bot system in Chapters 6 and 7 where we describe techniques for building a bot that attaches to a game program the way a de-bugger attaches. There’s another technique we briefly describe in “Advanced Bot Topics” starting on page 228. This has been tested. Greg is a subscriber to WOW. He’s had many characters banned.

Does WOW know this book is out?

We had to get permission from WOW to use the screen dumps. They’re not angrily calling us up.

So tell us a little about how WOW works technically.

It’s an Internet-based client/server model. You get the World of Warcraft program to run on a PC. It displays a graphical-user interface that talks to the Blizzard server constantly. It might be the world’s largest distributed system. The problem from the technical perspective is the program and the universe of the game have the property of state. If you want to give information about the World, you can’t update clients with all that information. You give them pieces of that information. World of Warcraft keeps track of where your character is by giving you 3-D coordinates. If you figure out where those coordinates are stored, you can teleport it, something that’s easy to do. The technique is called ping-ponging. You can use it to gain advantage in a fight. Are you supposed to do it? No. it’s a problem of the state.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports