Blizzard Entertainment Uses Spyware to Verify EULA Compliance

["Richard M. Smith" <rms () computerbytesman com>]

http://www.schneier.com/blog/archives/2005/10/blizzard_entert.html

October 13, 2005


Blizzard Entertainment Uses Spyware to Verify EULA Compliance


 <http://www.rootkit.com/blog.php?newsid=358> Scary:

I recently performed a rather long reversing session on a piece of software
written by Blizzard Entertainment, yes -- the ones who made Warcraft, and
World of Warcraft (which has 4.5 million+ players now, apparently). This
software is known as the 'warden client' -- its written like shellcode in
that it's position independent. It is downloaded on the fly from Blizzard's
servers, and it runs about every 15 seconds. It is one of the most
interesting pieces of spyware to date, because it is designed only to verify
compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to
about 4.5 million people (500,000 of which are logged on at any given time):


The warden dumps all the DLL's using a ToolHelp API call. It reads
information from every DLL loaded in the 'world of warcraft' executable
process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in
the titlebar of every window. These are windows that are not in the WoW
process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was
communicating with on MSN, the URL of several websites that I had open at
the time, and the names of all my running programs, including those that
were minimized or in the toolbar. These strings can easily contain social
security numbers or credit card numbers, for example, if I have Microsoft
Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function
and compared against a list of 'banning hashes' -- if you match something in
their list, I suspect you will get banned. ...

Next, warden opens every process running on your computer. ... I watched
warden open my email program, and even my PGP key manager. Again, I feel
this is a fairly severe violation of privacy, but what can you do? It would
be very easy to devise a test where the warden clearly reads confidential or
personal information without regard.

This behavior places the warden client squarely in the category of spyware.
What is interesting about this is that it might be the first use of spyware
to verify compliance with a EULA. I cannot imagine that such practices will
be legal in the future, but right now in terms of law, this is the wild wild
west. You can't blame Blizz for trying, as well as any other company, but
this practice will have to stop if we have any hope of privacy. Agree w/
botting or game cheaters or not, this is a much larger issue called
'privacy' and Blizz has no right to be opening my excel or PGP programs, for
whatever reason.

EDITED TO ADD: Blizzard
<http://forums.worldofwarcraft.com/thread.aspx?fn=blizzard-archive&t=33&p=1&;
tmp=1#post33> responds. See also
<http://forums.worldofwarcraft.com/thread.aspx?FN=wow-general&T=5269471&P=1>
here. Several commenters say that this is no big deal. I think that a
program that does all of this without the knowledge or consent of the user
is a big deal. This is a program designed to spy on the user and report back
to Blizzard. It's pretty benign, but the next company who does this may be
less so. It definitely counts as spyware.

 <http://www.schneier.com/blog/archives/2005/10/blizzard_entert.html> Posted
on October 13, 2005 at 02:11 PM 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.