Online games have always had the problems of cheats, password stealers and bots. Volumes of information have been written on the topic, including Hoglund and McGraw’s published material. In response, game developers at studios like Blizzard Entertainment and Amped have developed ways to unexpectedly “govern” the software that is running on their users’ systems, and ways to “harden” their software against reverse engineering attempts. For better or worse, these “tools” have turned into somewhat intrusive tools that peek into everything on the system and prevent RE activity using methods similar to those used by malware writers.

Sometimes, these defenses cause problems for the software security industry. You can see here from virustotal signature-based scan results today that our Tantra-playing friends in the Phillipines trying to play “Tantra” might be interrupted by their game’s security software:

These problems cropped up with today’s binaries, and have cropped up in the past. In August, AVG already was detecting the “tantrum.exe” component as a virus with its generic packer detections: Regarding Virus “obfustat.iiy” On Wr Ph, Problem Fixed
The problem, in part, for the av signature-based products seems to be the packer. The packer that Amped is using, Molebox, is polymorphic and provides some difficulties for black, grey and white hat reversers trying to peek into the code behind their tantrum.exe component. Malware writers and distributors in the recent past have used molebox to evade detection and make their creations more difficult to reverse engineer. You might notice that the screenshot above shows that Ikarus detects the component as “Rbot”.

For behavioral-based security products, a problem arises when these components, which have very similar file characteristics to malware that we’ve seen, exhibit behaviors similar to malware. For example, this Tantra game component injects itself into operating system components in the same way as backdoors like Bifrost and other trojans.

For now, it seems that these problems will be ongoing. The game developers need to protect their games the best that they can, and security software products need to be as sensitive as possible.

This entry was posted on Tuesday, November 27th, 2007 at 2:36 pm and is filed under Bifrost, Bot, Password stealing, Reversing, Unpack. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.