Virtual Gold and Bot Threats
For the past couple of weeks, i have been away visiting Family in a country far far away, with an excellent internet connection and boring midnight hours, when I decided to play some games to help myself go to sleep. now, since this was quite an interest for me, I started looking in different sources for game stability, hacking and most important Bot crafting for this game and others, and so it began …
The game I chose to play is Diablo 3 ( I carry a flash drive with my favorites installed, everywhere ) and went into it. now … for those of you who dont know, games that involve getting items and collecting and improving characters online, usually also involve getting virtual gold. so you can then buy, repair, improve etc… but thats just game mechanics.
Virtual Gold becomes Real Money
Many of today’s games today, either if its betting games, or online multiplayer games (and maybe your favorite facebook games), enable users to purchase virtual gold for real money. and there is usually an agreed exchange rate.
This means that Virtual Gold gets an actual Dollar value and users can trade and sell/buy.
In come the Bots
By now, we all heard of people in the far east that play constantly just to harvest virtual gold, and then selling it for real money to the western i-wanna-improve-immidiatly gamers. and this took quite a lot of time, for what I would call medium level gain.
Now, from old times, even when I was a kid, we used to be able to write Bots that would play the game for us, or bend it in a way that we make more of that virtual gold faster and faster and making the game easy for us. When I looked into whats going on with people bending my latest favorite game, I came to realize how far have this industry gone…
Advanced and slightly more skilled Bot makers today, use easy to script tools such as AutoIt, in order to create bots that will actually walk the game, play it out, collect items and sell them later on, maximizing on virtual gold harvesting. this means that you can set a machine to harvest for virtual gold for 24/7 and then sell it !
Well, there are several security problems here. lets outline them
- External Scripting is not manipulating the Game
- Bot Nets
External Scripting is not manipulating the Game, Evades detection
Lets start with #1. in the old days, when Bots where written, they used to manipulate the in-game memory in order to change or reveal values. this meant that it was fairly easy for the game makers to create software to detect manipulation ( i believe that Blizzard, the maker of Diablo 3 – currently has the best manipulation detection software – warden, developed in-house ).
The way that AutoIt works, is just sending commands that can be based on nothing but pixel detection etc, and sending commands back to the game as if it is a set of keyboard and mouse. for example : Move mouse to (x,y) , Click mouse , Press “1″, wait for (500) ms.
The problem this introduces is the potential inability for standard gaming software to detect such scripts by automation tools from running. and making those bots more common, and by that not just breaking the game for everyone ( unfair advantage ), but actually scamming the game for profit, which I believe is, or should be considered a crime.
This can be mitigated fairly easy. but then creates a problem to the gaming vendors, and the reason for it is that they then cross the line between a gaming product and a moderated security product that enforces rules, like a host IPS or AV, that can then say “if you run this tool in the background, the game wont start”.
I actually would encourage that approach for any game that involves Real Money interaction. it becomes quite popular to introduce Fraud Prevention to online systems such as Bank Accounting systems, and Online Brokering. I see no reason why Gaming should be any different, either if its Browser/Thin-Client based, or if its a desktop installed advanced game.
There is a joke that mildly translates from Hebrew which says “the open-window, calls the thief” which i believe has a solid case here. Since if a platform introduces money exchange, hackers and organized hackers will find their way to exploit the system to gain profit. and are most likely to hurt both the game vendor and the players that pay to play and pay to improve their gear ( some games have millions of users that are considered addicts that will spend quite a lot of money to advance in a game ).
While Bots such as I mentioned are fairly simple, imagine the following scenario : Bot Net.
Imagine a shoe making factory, with many low paid workers making shoes for the man, which sells for profit… now imagine the Security world where an organized hacking organization can build a farm of computers, all running the game with a bot on it, farming for virtual gold on the games, and sending to a main computer that then sells it.
Imagine even worst… a Virus Bot that infests your own computer, and is then controlled by a C&C Bot Net that does just the same, leveraging your own computer , and your own account for profit.
Traditional Bot Net vs the Gaming Bot Net Potential
Many think that Bot Nets are meant for espionage, stealing credentials, looking into emails and maybe stealing credit card information. But what is the difference ? there is none!
Think of the goal : I want to make money off a bot-net. Which to me means, that the fact that you are farming via a game that allows it, or stealing credit card/transacting money is the same.
At the end, Awareness will be key here. Gaming vendors, HIPS/AV and Fraud Prevention vendors should look into it, making sure that they create content in time when these rise.