How cheaters are winning at online games like World of Warcraft

Author exposes gamers’ dirty little secrets.

New book by security expert exposes cheating in online games like World of Warcraft.

The new book “Exploiting Online Games” by Greg Hoglund and Gary McGraw explains how cheaters are winning at online role-playing games such as World of Warcraft where millions of players compete in the virtual world to win battles or treasure that is sometimes later sold to avid game players for real money.

Book cover

McGraw, CTO at software security company Cigital, discussed the book with Network World Senior Editor Ellen Messmer, explaining how cheaters can use specialized “bots” that manipulate online gaming activity to their advantage.

Why this topic?

Greg outed the fact that World of Warcraft was using spyware to spy on gamers; a program we wrote watches this spyware. We’re not publishing a guide to how to attack online games. But there’s a ton of code out there for that. We focused on World of Warcraft — it’s usually called WOW — because it represents 53% of the market and is used by millions. Some games provide scripting languages that let you write simple scripts, like casting a spell. There are scripting engines released by hobbyists. But in most games, it’s cheating. In chapter two, we describe some of these tools available from the Internet. Blizzard Entertainment [which operates World of Warcraft] found out about them and disallowed them in their end-user licensing agreement [EULA]. They’ll try to catch you with the ‘Warden’ spyware they installed. We wrote a program called ‘Governor’ watching it watching you.

So maybe WOW will catch this cheating but maybe not?

You’d want an undetectable bot system, and we have an undetectable bot system in Chapters 6 and 7 where we describe techniques for building a bot that attaches to a game program the way a de-bugger attaches. There’s another technique we briefly describe in “Advanced Bot Topics” starting on page 228. This has been tested. Greg is a subscriber to WOW. He’s had many characters banned.

Does WOW know this book is out?

We had to get permission from WOW to use the screen dumps. They’re not angrily calling us up.

So tell us a little about how WOW works technically.

It’s an Internet-based client/server model. You get the World of Warcraft program to run on a PC. It displays a graphical-user interface that talks to the Blizzard server constantly. It might be the world’s largest distributed system. The problem from the technical perspective is the program and the universe of the game have the property of state. If you want to give information about the World, you can’t update clients with all that information. You give them pieces of that information. World of Warcraft keeps track of where your character is by giving you 3-D coordinates. If you figure out where those coordinates are stored, you can teleport it, something that’s easy to do. The technique is called ping-ponging. You can use it to gain advantage in a fight. Are you supposed to do it? No. it’s a problem of the state.

Wouldn’t the ‘Warden’ be watching?

The ‘Warden’ isn’t watching that carefully. It’s more interested in who you’re talking to, instant messaging or whether you’re using some of the well-known tools, like Thottbot. It’s not watching the game process itself.

So how much cheating do you think takes place?

I estimated 10% to 20% of gamers are cheating. Also, in China there are sweatshops, where you pay someone $3 per day to play the game for you.

You point out in the book that there are middleman companies that will broker virtual items that one gamer is willing to buy from another gamer willing to sell them.

There’s a real economic incentive to cheat. If you can collect 15 bazillion gold pieces from a certain character, you can re-sell this in the middle market, and get real money. You can sell your character to concerns like IGE and get real dollars for your stuff. So you cheat as a way to duplicate items. This is a virtual world deeply connected to the real economy.

What advice would you give the operator of WOW?

The main advice involves better software security practice in the client in order to make it much harder to cheat. One example would be to imagine a way to keep track of not just every piece of state but compute some vector on top of state. Compare the state you sent before. If you character teleported, you should catch it.

Are there lessons for others?

I’m a software security guy, I write about software exploits and it dawned on me the kind of exploits we see in online games are indications of the kind of problems we’ll see once Web 2.0 and [service-oriented architecture] fully catch on.

I see from your biography you have kids. Do you let them play online games?

My kids are 12 and 10 and their Internet usage is severely restricted. The iMac my 12-year-old son drives is in the kitchen because we do it together. We play the Rise of Nations game, but it’s not an Internet game. I’ll be happy to let them use the Internet under pretty close supervision. I don’t believe in censorship at all but I do believe in good parenting.

Learn more about this topic

When speed rules: More ISPs catering to online gamers


Does your company have a clue about Web 2.0


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)