back to article +5 ROOTKIT OF VENGEANCE defeats forces of gaming good

Security boffins Joel St. John and Nicolas Guigo have developed a rootkit-like gaming cheat system they say bests anti-cheating mechanisms. The iSec Partners hackers say the anti-cheating platforms in use by the world's most popular games cannot stop cheating and actually increase the attack surface open to hackers. In a …

  1. Charles 9 Silver badge

    I'm surprised they haven't taken a look at hardware-based cheating. At that point, the gaming companies may be forced to raise the white flag. After all, what man can make, man can subvert if determined enough.

    1. Pascal Monett Silver badge
      WTF?

      What a lot of effort for what is supposed to just be amusement.

      1. Charles 9 Silver badge

        Did you note the part of the article about "sponsored events" and "professional gamers"? In both, money is involved (the former due to the sponsorships and the latter because professionals, by definition, are doing it for a living).

        1. Oninoshiko

          I think you missed the point. We jumped the shark when it became a profession rather then a pastime, just like sports.

  2. GregC

    Re: "Fully streamed"

    They say games may need to be "fully streamed"

    They can, frankly, fuck right off.

    I don't really care either way about people cheating at games (and, at least for single player games, don't understand why anyone thinks it's a big deal), but I've said it before - the day that I can't just play a game, on my own, without needing to be always online is the day I stop buying new games.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Fully streamed"

      Indeed they can, it's bad enough games needing to sign into some online service let alone the whole sodding thing coming from one, and given most ISPs inability provide any kind of decent connectivity out in the sticks I couldn't agree more.

      On the more technical side, where are their examples of vulnerable systems? I haven't read their PDF but did a quick search for Valve Anti-Cheat, no mention of it. I doubt very much properly written games like Valve's Source games (CSS/HL/Team Fortress/L4D etc.) are affected by this where the game processing is done on the server and the client effectively does the rendering.

      I'm with you though, I've been burnt enough with games that require some online component only for it to be shut down making the game useless.

      1. GarethWright.com

        Re: "Fully streamed"

        CSS/HL/Team Fortress/L4D are all easily hookable and hackable.

        Valves Anti-Cheat is one of the most easily bypassed.

    2. This post has been deleted by its author

      1. Danny 14

        Re: "Fully streamed"

        Or just have admins who ban the cheaters.

        1. Triggerfish

          Re: "Fully streamed"

          One of the reasons I always liked Counterstrike you could find a server run with decent admins or run one yourself, actually made online gaming nice.

      2. Dr. Mouse Silver badge

        Re: "Fully streamed"

        Eventually gaming will become a matter of who has the best equipment, and the best AI, with little or no human interaction. The skill will be in developing the best AIs yourself. Just like real war.

        I don't see this happening. Humans like to pit their skills against each other, and this will not change. People will still try to "cheat" with AIs etc, but the majority of people who play games do so because they enjoy it.

        I do believe there will be a class of gamer who develops and uses their own AI, but this will be a minority. The class of people who enjoy doing this is a minority, and I don't think that will change. It is just like in life in general. The majority will just get on and do stuff. It is the minority who search for and develop new, more efficient ways of doing things.

        On the subject of developing your own AI, I have never viewed this as cheating. There is a vast amount of skill in it. In my view, the ones who are cheating are the ones who just download and install software. However, I know this is a minority view, just like it is a minority view that card counting is just playing Blackjack well.

  3. jake Silver badge

    "kernel driver providing a rootkit-like functionality to hide activity"

    There's your first problem ...

    "of its user-mode process"

    There's your second problem.

    Bottom line? It ain't gonna work. More layers of abstraction at the user level always means more vulnerability overall. IMNECTHO.

    "The pair popped"

    There is that "popped" meme again. I work system security. Never heard it in the real world. Allow an aging, jaded sysadmin to ask a real question: Where did this meme originate? And why? From time immemorial, the actual term is "cracked". Or do kids these days think they have invented something new?

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: "kernel driver providing a rootkit-like functionality to hide activity"

        To be more techie - it could be a reference to popping the top value off an array - re perl - It's a stretch I know but the image I tend to have in my head when I see it.

        http://perldoc.perl.org/functions/pop.html

        1. auburnman
          Trollface

          Re: "kernel driver providing a rootkit-like functionality to hide activity"

          You 'crack' something that is strong and well built, like concrete. You 'pop' something that was soft and not really up to withstanding deliberate abuse anyway, like bubblewrap or anti-cheat software

        2. Peter Gathercole Silver badge

          Re: "kernel driver providing a rootkit-like functionality to hide activity"

          I'm seriously losing faith in the people that work in computing.

          Who in their right mind will take a concept like 'push/pop', which have traditionally been used to work on a stack or a fifo or other buffer-like construct (maybe), and then applies it to an array?

          Looking at the Perl document referenced, it looks like it is used on a one-dimensional array, like an argument vector, but that still appears to me to be a serious misuse of a previously used term!

          1. desht

            Re: "kernel driver providing a rootkit-like functionality to hide activity"

            "Who in their right mind will take a concept like 'push/pop', which have traditionally been used to work on a stack or a fifo or other buffer-like construct (maybe), and then applies it to an array?"

            That's just how Perl arrays work. They can also be stacks or queues, and efficiently, too: pop/push/shift/unshift generally work in O(1) time (other than potential reallocation for expanding data structures): http://www.perlmonks.org/?node_id=17890

            The way Perl does stuff might offend some purists, but it works, and it's convenient. *shrug*

            (And they are one-dimensional arrays, but each element can hold anything, including references to other arrays or hashes).

          2. Vic

            Re: "kernel driver providing a rootkit-like functionality to hide activity"

            Who in their right mind will take a concept like 'push/pop', which have traditionally been used to work on a stack or a fifo or other buffer-like construct (maybe), and then applies it to an array?

            In Perl, it means you can take an array type and use it like a stack. It's exactly the concept you expect - just that Perl doesn't worry too much about the base types used...

            Vic.

        3. jake Silver badge

          Re: "kernel driver providing a rootkit-like functionality to hide activity"

          Y,y,y ... I know what the heap and the stack are, and how to use them. I wrote my own C compiler decades ago. Somehow, I doubt the kids using "popped" are using it in this context.

          Gut feeling is that it's an illogical and computer illiterate extension to BASIC's "peek" and "poke".

          1. Peter Gathercole Silver badge

            @jake

            My comment was not meant for you, more at the Perl developers who wrote the "pop" function referred to by the AC who suggested it for the origin of the meme.

            I never had any doubt that you know what a stack is!

  4. Crisp

    If professional gamers are really worried about cheating

    Then why don't they use a LAN disconnected from the outside world using machines all built to the same spec with the same hardware and no cheat programs on any of them.

    It would be fair because they would all be using standardised equipment.

    1. Jellied Eel Silver badge

      Re: If professional gamers are really worried about cheating

      Some do, ie tournament players play at the event. But to get to the tournament, or become a pro-player you need to get ranking. Which may get boosted by cheating. But then they should be found out if they play in a tournament without their cheat crutches. Or the cheats might have some financial reward, so gold farming, dupes etc. Or they could just be anti-fun, so aimbots or wallhacks in shooters.

      So there's a bit of an arms race. Developers create anti-cheat systems like punkbuster or VAC which can already be rootkit-like. Cheaters come up with lower level designs to bypass those, increasing security risks. Not like cheaters who'll happily download random hacks off the Internet are probably too concerned about their security. But to counter this new threat, anti-cheat systems are going to have to become even greater potential security risks.

      And to what end? I recently installed some game and discovered it also installed punkbuster for me, and set it to run at startup. All because the game had some online/multiplayer functionality I never intended to use. Or 7 Days to Die just updated. When I click play on that, it gives me an option for a VAC & non-VAC version. So remember which one to click if you want to use the built in cheats in your own sandbox..

      So we end up with a situation where we may have to accept installing one rootkit to 'protect' ourselves against another. And we'll have to accept that the good rootkit won't be doing anything privacy or marketing related, and won't be a security risk.

    2. Anonymous Coward
      Anonymous Coward

      Re: If professional gamers are really worried about cheating

      And then you find out the machines were all subverted at the chip level during manufacture...

  5. clocKwize

    People have been using kernel drivers to hook core system functionality and expose features via some API to a user land app for years. This isn't news..Even down to the "double paged memory" thing mentioned, which is definitely based on http://phrack.org/issues/63/8.html "shadow walker" released in august 2005. I used to hack games. Its all about finding inventive ways of modifying another application without using any of the same methods as anyone else has released in to the wild (and therefore patched) so if you can totally hide the memory you've changed (at least in the view of the game) you're almost unstopable.

  6. DrXym Silver badge

    Streaming does have its advantages

    There's nothing more frustrating than to play a game and be constantly picked off by someone not because of skill on their part but simply because they've got better broadband or a PC which lets them get a higher frame rate.

    A relatively thin client software could ensure that everyone in the game gets the same graphics, the same framerates and has similar latencies.

    And of course it stops cheats.

    1. Anonymous Coward
      Anonymous Coward

      Re: Streaming does have its advantages

      Everyone can have an equally poor experience...

      Game will never get moded so everything will be like them dead games - titanfall & evolve as opposed to the moddable CS:S and L4D

      Daft idea. Plus the input lag. Erck

      1. DrXym Silver badge

        Re: Streaming does have its advantages

        "Everyone can have an equally poor experience..."

        Not necessarily at all.

        "Game will never get moded so everything will be like them dead games - titanfall & evolve as opposed to the moddable CS:S and L4D".

        That doesn't counter my points at all. And nor was I arguing that streaming was better than local play in all aspects, just in particular ones.

    2. you are idiots
      Facepalm

      Re: Streaming does have its advantages

      It's been tried and failed, check news about "onlive" (https://games.onlive.com/farewell/games)

      And why when you have a ps4 do you want to stream it and add latency and use controls not designed for the game (GAIKAI)

      Investors are simply idiot's.

      1. DrXym Silver badge

        Re: Streaming does have its advantages

        "And why when you have a ps4 do you want to stream it and add latency and use controls not designed for the game (GAIKAI)"

        Latency is already a fact of life for multiplayer and that's why things can suck for someone caught on a bad connection or who didn't spend a fortune on a top end PC.

        So saying "because latency" misses the point that it's already a problem. Yes, streaming introduces its own latencies but it removes them in other areas. It's also transparently obvious to anyone watching the scene that it's not just Sony who have an eye on streaming. Steam do too, first "in-home" although it's not hard to see that expanding to out of home as well.

    3. Cuddles Silver badge

      Re: Streaming does have its advantages

      "There's nothing more frustrating than to play a game and be constantly picked off by someone not because of skill on their part but simply because they've got better broadband"

      ...streaming. If people having better broadband is a problem now, a solution in which quality of broadband is the only relevant factor really isn't going to help. If your internet is so bad that it can't keep up with the small amount of data transferred by client-side games, how is it going to cope when the entire game needs to be streamed? Your solution means that instead of people with bad internet potentially having a sub-optimal experience in some games, they won't have any experience with any games at all.

      "Latency is already a fact of life for multiplayer and that's why things can suck for someone caught on a bad connection or who didn't spend a fortune on a top end PC."

      Nonsense. Connection latency is a problem in keeping clients and servers properly synchronised to each other so everyone sees the same things happening at the same time. The price of your PC is utterly irrelevant to that. It's a function of your internet connection, not your GPU. However, streaming games introduce an entirely new latency between the controller and the game, and that certainly is not a fact of life as things stand. Streaming doesn't fix the connection latency because there will still be just as much lag between an event occurring and your local client knowing about it (in fact more, since as noted above there needs to be more data transferred), but it adds additional latency in places that no current games have it. It's just a terrible idea from start to finish.

      "A relatively thin client software could ensure that everyone in the game gets the same graphics, the same framerates"

      Fuck everyone else in the game. If I can afford a better PC that can display better graphics and higher framerates, why should I be punished just because other people can't? Do you plan on taking away my house and car as well just because not everyone can afford their own? Forcing everyone to live in tower blocks and take the bus everywhere would ensure that everyone has the same quality of living, but no-one actually thinks that's a good idea - even communist dictators who claim to advocate such things make it clear that it's only a good idea for everyone else, not themselves. What is so special about computer games that mean we should all be dragged down to the level of the lowest common denominator? It would be great if we could all live in mansions with nice cars, fast computers and good internet, but in the absence of such a utopia, taking all the nice things away from people who have them in the name of equality is not the way to do things.

      1. DrXym Silver badge

        Re: Streaming does have its advantages

        "...streaming. If people having better broadband is a problem now, a solution in which quality of broadband is the only relevant factor really isn't going to help. "

        Maybe read what I said in the first comment eh?

        "Nonsense. Connection latency is a problem in keeping clients and servers properly synchronised to each other so everyone sees the same things happening at the same time. The price of your PC is utterly irrelevant to that."

        I didn't say "connection latency". I said latency. Latency is lots of things.

        "Fuck everyone else in the game. If I can afford a better PC that can display better graphics and higher framerates, why should I be punished just because other people can't? "

        Yeah, that's the ticket - the person who spends the most should have the advantage right? Screw all those other people expecting to play a game on a fair and level playing field. With that attitude maybe EA should sell aimbots for $1000.

        Frankly you're the reason multiplayer sucks right now.

      2. NumptyScrub
        Trollface

        Re: Streaming does have its advantages

        Fuck everyone else in the game. If I can afford a better PC that can display better graphics and higher framerates, why should I be punished just because other people can't?

        I just buy the developers, and they write the game to always put me in top spot regardless, because it is not cheating if it is all part of the legitimate game code. That's how you pay to win :P

        You are saying that you should be able to pay to win, right? That's how I'm interpreting your statement anyway... ^^;

    4. Terje

      Re: Streaming does have its advantages

      Or you would just get killed because your internet connection is worse then your competition.

  7. Peter Gathercole Silver badge

    Confusing paper

    I'm a little confused. I understand that this is a client-side attack on the games, and as such, it's pretty obvious that it is possible to modify the client machine, which is totally in the cheater's control, to do all sorts of things to manipulate the game and prevent the anti-cheat code operating. After all, with this level of access, you could do anything, including (for open systems) running their own kernel. There ain't no way that a user-land anti-cheat system is going to prevent that.

    But looking at the paper, at one point they are talking about Direct3D and DLLs, which is mainly Windows terminology, and then they dive of to describe a Linux attack. Maybe they are trying to show that problem spans OSs, although I did not see a reference to that.

    There is another way of preventing this type of attack, although it brings back something that I was hoping was dead.

    If the hardware/OS/games are created using the generally hated (at least here) concepts proposed by Trusted Computing Group (previously known as the TCPA and the previous Microsoft Palladium project), it would be possible to implement a hardware and software stack that would prevent client side privileged access to the system unless it was signed by a recognised key. This would at a stroke prevent almost all of this type of client side attack, but at the same time would wrest almost total control of a machine from it's owner, making it a data appliance rather than a PC.

    Because the detail in the paper is so scant, it looks to me like it is a scaremongering piece to bring security back into focus, to try to allow vendors of software to take more control of the PC away from it's owners.

    Where's the tin-foil hat. I think I need it now.

    1. Charles 9 Silver badge

      Re: Confusing paper

      "If the hardware/OS/games are created using the generally hated (at least here) concepts proposed by Trusted Computing Group (previously known as the TCPA and the previous Microsoft Palladium project), it would be possible to implement a hardware and software stack that would prevent client side privileged access to the system unless it was signed by a recognised key. This would at a stroke prevent almost all of this type of client side attack, but at the same time would wrest almost total control of a machine from it's owner, making it a data appliance rather than a PC."

      You will note how little you hear of the Trusted Platform Module outside of tightly-controlled settings such as businesses who need the control for their own reasons. Simply put, it's a non-starter on the consumer (and gamers are a subset of consumers mostly) end. If the only practical solution is to implement a system that isn't accepted by your customers, your market is basically a dead end. Either people won't buy your games because they're full of cheats or people won't buy your games because they won't buy the "secure" hardware needed to run them.

  8. auburnman

    Why is this still an issue?

    It's high time multiplayer games distributed anti-cheat software so that the clients are all watching the OTHER clients in a match and came to a consensus about kicking/banning automatically after a certain number of stikes, eg:

    -Client_123 suspects client HACKAHACKACODECRACKA be added to suspected cheater watchlist (headshot through wall)

    -Client 124 suspects client HACKAHACKACODECRACKA of cheating (6 headshots within 6 seconds)

    -Client 125 suspects client HACKAHACKACODECRACKA of cheating (Client 125 player actor dealt 1600 damage to client HACKAHACKACODECRACKA player actor which did not enter death state)

    -Consensus reached to kick client HACKAHACKACODECRACKA.

    Multiplayer inherently requires the game clients to tell each other what they are doing, it's ludicrous that no-one is using this to automatically catch the signs of abuse

    1. Danny 14

      Re: Why is this still an issue?

      some people are just good though. I used to run GTFO TF2 servers and we had plenty of hack reports on certain players, thing is, we also used to run LAN events and those players turned up - they really were that good. What was funnier was a time we got an admin call for someone who was at the LAN event....

      1. auburnman

        Re: Why is this still an issue?

        Of course you get players that are just good being called hackers*, but there is massive scope for the game client to pick up things that are really obvious exploits like repeatedly getting headshots through walls, surviving attacks that are supposed to be 1 hit kills, using powers their class/level shouldn't have access to to name a few; all of which you see these days and it seems like sweet FA is done about it.

        *Oh to be the lucky little shit who thinks someone with an 18-10 KD ratio is hacking - they've clearly never played against an actual hacker in their life

      2. Triggerfish

        Re: Why is this still an issue?

        Our servers, if someone was suspected cheating it meant more than one admin would have to review (that way no accusations of favouritism for our clan, or regulars on the server). But we did have a couple of pro player who liked to drop in because we had well run and decent CS servers, with low tard tolerance from admins. Watching them guys play its easy to see how they get hack accusations, they could join one side take the team to a victoy and then switch side a couple of points from said victory and bring the other team up, and it wasn't like we were bad players ourselves.

    2. Zacherynuk

      Re: Why is this still an issue?

      I've thought this too - it may involve bringing some things back to the client side though.(Depending on the game)

      Certainly I find it odd that, say an Arma 2 server, can't be configured to easily spot somebody duping / warping / fast travel / messing with loadouts etc... even monitoring cross hair snapping and similar things you look out for when recording footage as an admin about the wield the ban-hammer.

  9. chris 251

    surely its possible to run games in their own digitally signed VM.

    The game and anti cheat software all rolled into one image that runs on some cut down OS. any tinkering with it and it would connect for online play. Stream is probably geared up to do something like this they dish out a player and games come preinstalled on these images. After all BF4 patches are freaking massive these days so a little more wont make any difference.

    1. Charles 9 Silver badge

      VM's are not useful for this type of cheat. The cheat would be on the host, giving it hypervisor access where it can snoop any memory at will, including pre-encryption (making a secure tunnel useless here, too).

  10. karlkarl Silver badge
    Go

    I think streaming is a good idea as long as *we* are the ones who stream it. We might take a bit of a performance hit because we will need to render the scene based on the number of clients connecting to the server but I imagine many more gamers will be happy with this rather than any of that cloud bullshit.

    Plus if only the OpenGL commands get sent through and the individual clients render it themselves. it isnt that bad since much of OpenGL is retained on the graphics card these days rather than being sent through each loop (Full disclosure... I am working on something similar for my PhD).

    1. Charles 9 Silver badge

      What's to stop a miscreant from hacking the sent OGL commands to make the scene look different to the competition? A setup like this can still allow a hacker to tell "lies" to his opponents.

  11. breakfast

    Maybe cheatable games are not even that fun

    Games that can be cheated with bots and auto-aim are a fairly specific subset of very twitch-based game. It seems possible to me that as time and game design move on, the goals of a game may become more creative and less about who has the fastest reactions, at which point the ability to cheat becomes less useful and the ability for server-side validation is increased because the need for instantaneous communication is reduced.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020