Jump to content

Blizzard rootkit


Recommended Posts

"Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us."





"We all know that World of Warcraft has checked for hacks to ensure a safe game environment for all players. The latest version of these checks goes beyond anything seen so far in that what is being checked is now completely encrypted. Obviously this hits bot writers as can be seen from these complaints, But it also strikes at the privacy of all users. Now Blizzard has a tool that is encrypted and can run any type of scan, transfer any file or edit any document on your computer. That can't be right."



I haven't read the whole thing yet, it's way TLDRish. But I'll get to it at some point.





Blizzard has begun a more aggressive campaign with Warden. The changes to Warden effectively remove our ability as a community to police Blizzard's activities, and may lead to undetected violations of personal privacy, among other possibilities. I have until now publicly defended Blizzard's actions, which were already under public scrutiny, partly because of Greg Hoglund and his crusades (which I have never agreed with). I do not believe that Blizzard would ever intentionally break privacy laws (or any laws for that matter), at least in any manner that can be traced. However, as we all realize, there are gray areas, which Blizzard is no stranger to (I would consider Warden itself to be in that gray area, which does not seem to be illegal, but that many people would feel is a violation of their rights, and could potentially be deemed illegal in the future), and I do believe that Blizzard would enter those areas until legally bound to leave them (i.e. when the area is no longer gray, and consequences would follow).


I cannot condone or agree with the changes to Warden, and I fear they may be overstepping their bounds. The problem is that Warden has long been a polymorphic program, typically a concept used for viruses, spyware, and other sorts of things that an attacker may wish to hide (see the linked page from the words "polymorphic program", and take note of the described usages). In Blizzard's case, they intend to hide functionality of Warden from what they perceive as attackers, for the obvious reason of catching said attacker without him being tipped off as to how. Clearly, if said attacker knows how, he would attempt to avoid being caught. In itself, this polymorphism is not entirely destructive.


Historically, the polymorphic code produced essentially the same predictable results in the end, and Blizzard's Warden-related activity was kept in check by software like ISXWarden, and to some extent by Glider's Tripwire (at least in the ability to track how often and in what numbers a new Warden was produced, I'm unaware of any additional capabilities Tripwire may have). Unfortunately, Warden now includes a different random cryptographic hash function in every copy, apparently used for cryptographic key exchange, at least in the copies I have reviewed. However, it is nearly impossible to enforce that. The hash function could be replaced with a function that retrieves information from your computer at random (or even precisely defined information, including credit card numbers, or literally anything else) and sends it back to Blizzard, and to electronic enforcement systems, this would be nearly impossible to predict or report.


I formed my opinions of Blizzard's activities and stood on their side of the line on privacy violation arguments, solely because I have been able to automatically keep track of exactly what Warden was doing, how it was doing it, and what information was sent back to Blizzard, regardless of the number of permutations of their polymorphic software. This effectively resulted in checks and balances, much in the way government bodies separate their powers which I believe, in the end, are supposed to preserve the rights of the people in cases of corruption and such. Now, information suggests that Blizzard has begun continually producing replacement copies of Warden -- previously, roughly 318 permutations of Warden existed per patch (according to information from ISXWarden users, as can currently be viewed on the WardenNet stats page), and would be used on a rotating basis. To reiterate what I implied above, all 318 of those permutations could be vetted by software (including ISXWarden), and the behavior of each one could be verified to be identical. Therefore, anything that Blizzard would try to slip into their software was kept in check, and they would not have been able to introduce any significant privacy violations without alerting their customer base. That's actually a very good thing to have on their side.


However, this change to Warden is not a very good thing to have on their side. Given the fact that the randomly generated hash algorithm can be replaced at Blizzard's sole discretion with any other algorithm, including ones that retrieve and use personal, private and/or otherwise confidential information, with only their server to be required to know about the changes, this should be considered a very scary thing for the rest of us. Blizzard, I agree with you wanting to protect your game, I agree with most of the functionality you have placed in Warden, but you're losing a supporter who has conflicts of interest with your policies and still agreed with them, and that would have made a strong argument for your side.


Blizzard, I strongly urge you to promote transparency in your policing efforts. The public cannot be expected to trust a corporation that is hiding information from its own customers. You are governing several million people across the globe, and even though you do not like some of them, you should not attempt to hide your software or the functionality of your software on your customers' personal computers. There is absolutely no excuse for doing so, and I do believe that this is now, without a doubt in my mind, an ethical issue.






I wish to clarify a few things, as this post has been read, mis-read, partially ignored, and so on.

There is no issue with Blizzard using a hashing algorithm, or encrypting data. There is no issue with Blizzard attempting to detect its perceived attackers. There is no issue with a key exchange in the detection software. It's not even about any implied difficulty by said attackers to sidestep the new functionality, which at face value, is not a difficult task. The issue is that the hash algorithm can be replaced with any algorithm. The issue is that the hash algorithm is different in every copy of Warden, so there's no simple method of ensuring that every copy of Warden is simply using a hash algorithm, and furthermore that it is one-way. The issue is that the detection software may be exploited, by Blizzard or an employee of Blizzard, with or without the corporation's knowledge, in order to do anything they please on your PC. A resourceful Blizzard employee could, for example, install a virus or other malware on your PC, and have a pretty high chance of that going undetected by the customer. This example may seem extreme, but bear in mind that all customers are required by Blizzard to blindly accept whatever Warden is doing on your PC. By discouraging independent analysis of their tools, Blizzard seems to have something to hide. While I will reiterate (from the first paragraph of the post) that I don't believe that Blizzard would knowingly and willingly break any law, I do strongly believe that Blizzard has a responsibility to show its millions of customers that it is taking these actions in good faith.


Finally, I believe this is an issue that affects not just Blizzard and their customers, but all present and future corporations and customers who may be attempting to hide this sort of process or information from their customers. There is a limit to what they can do, and we can't blindly expect Blizzard or any such company to follow those limitations if they are not being independently verified.

Share this post

Link to post
Share on other sites


Yes, but I'll quote the 1st part of your post as my response to the 2nd part of your post:


The topic is nothing new, but the angle in which BlizzardThe NSA is doing so definately is.


EDIT: Actually, I take that back...The NSA has been pulling crap similar to this since the introduction of PGP and DES... :dry2:

Edited by Feanore

Share this post

Link to post
Share on other sites


  • Create New...
[[Template core/front/_liskoduje/liskodujeJS is throwing an error. This theme may be out of date. Run the support tool in the AdminCP to restore the default theme.]]