Status on hacks?

I've been researching some strange player behavior that we've noticed on our server on the internet. However, every page that I found was an obvious fraud only intended to 1) steal your money, or 2) rob your characters. I don't really mind that, if people truely are as stupid they should suffer.

I know wowglider is still out there, but that's only automation afaik, and it doesn't make clothies immortal, or break the game like battleground experiences I've encountered.

So, my question is: Does anyone know if there are confirmed hacks in the wild? Google doesn't say much, and I know that the warden is continuously updated with new signatures, but are there actual hacks in the wild? Is WoW being killed by hackers the same way Diablo and CS was?

I'm not interested in names or anything, just what they can do to shed some light on the oddities we've experienced.

As far as I know, there IS such as speed hacks, fortunately I haven't encountered any other type. While they are a detrement to how fun the game is, especially in WSG and AB, there aren't enough people doing enough to warrant them destroying the game. The ones who do use them are typically caught, reported multiple times by multiple people, then beat with the perma-ban stick.

www.wow-toolbox.com claims to have a program that will allow a player to change their stats, keep buffs forever, and remove cooldowns on spells. They also claim that Warden can't detect it. I saw it being advertised in IF tonight on the Llane server.

I have no idea whether it's true or not... but if it is, I'm sure Blizzard will soon patch to detect it.

I would think that those are numbers handled by the server rather than the client tbh. Also, having a look on their site states a "30 day money back guarantee", where as the faq states a "8 weeks money back guarantee". I think they simply farm irl gold :)

Still a bit worrying that 3 people can't bring down a clothies health more than about 5%. I did over 10k damage to that clothie, and that doesn't quite add up.

the program from wow-toolbox does one thing....steals your account info and NOTHING else . Oh ya, they also will have your CC info.

Yeah, I thought so. Well, they deserve it if they even consider using hacks imo :)

Doing some research, there seem to be things "in the wild" that can possibly be used for hacking purposes. The file I got sent to me by another user contains a number of files, such as a WoW keygen, a file named "RunMeFirst.exe", and three separate tools. This is supposed to be what you get from WoW-Toolbox.

RunMeFirst seems to be a trojan. Renaming the included "Libraries" folder to something else and trying to run it (in a virtual machine ofc, this piece of crap is not going onto my main pc) resulted in it failing to start. To be honest, I didn't try it prior to renaming the folder, but the files in there are basically the OpenSSL runtime files and a few DLLs that seem to hint at a web server.

RunMeFirst however contains references to WoW!Warp. It also contains what appears to be a wordlist, probably to make it bigger and look better, or possibly for some kind of bruteforce attack or spam-bot behavior (it is 6mb in size, disassembled code was far from that).

The string inside are interesting as well. "Corrupted memory at location {0}. Please change your IP and restart this program.", "Due to bot farmers, we are using a captcha system to make sure you are human.", etc. This could be a "Captcha pass-through attack", where the user is either receiving images from a 3rd party site and helps by cracking it. If this is a spam-bot tool, that would definitely make sense (most web-mail providers use captcha), or it could possibly register a trial account with WoW (do they use Captchas when you sign up?) and yell "Want to get 100,000 health go to wow-toolbox" blah blah. It sounds very fishy.

The other three tools were a memory optimizer (which appeared legit, it's available for free on the internet), a memory scanner for generic "windows cheating" that helps you find memory adresses that change and then patch them up, and a tool to change the rights of a process.

I would suspect that the archive I received is a mixup of malware and legit software. Wether it works with WoW I can't say for sure, and I don't want to try it either. Putting this kind of logic onto the client would seem just plain wrong and would open up for cheating, but you never know. It's one possible explanation for the weird things we have experienced in the battlegrounds.

The virtual machine I've been performing these tests in is totally separate from my WoW install, so there is no possibility of taint :)

Also, I've just noticed an increase in trafic from the virtual machine. It appears be chatting happily with swirl.ath.cx exchanging 256 bytes of data per packet over no specific protocol with no obvious identifying pattern. swirl.ath.cx resolves to c211-31-5-159.rivrw6.nsw.optusnet.com.au (211.31.5.159). There is no additional software installed in that virtual machine. Nothing is suspicious in the task list either, which makes me suspect some kind of rootkit or trojan.

The entire TCP dump is available if anyone wants to take a closer look at it.

Could a Curse dev please drop me a mail in here? I would like to forward this archive to Blizzard since I'm sure they could do better than I can in taking it apart. Sure, it sounds strange that they wouldn't know of it, but still it's better to be safe than sorry :)

Confirmed!

EuroSecure just got back to me with confirmation that one of the files (not telling which one) contains a variant of the Poison Ivy keylogger which confirms the suspicions. The validity of the remaining files is a matter for Blizzard :) What that means is that if you ever tried to use the WoW-Toolbox files on your live machine it has been calling home by the means of process injection, making your firewall think that it's your web browser that is behind the request, thereby very unlikely to react and block the request.

Long story short; your local harddrive, your system registry, process listing, all saved passwords including Internet Explorer, Firefox, and MSN password, every key you have pressed since, and possibly the traffic you have sent back and forth are now in the hands of the person or persons behind swirl.ath.cx :)

Hacks never pay off ;)

Thanks :) Yeah I'm of the same opinion. I don't understand why you pay to play a game, but refuse to play by the rules? Same with buying gold or power leveling: You pay a monthly fee for a game that you don't even experience or enjoy? That's just bull!

The intended functionality of this pack was to change buffs to give you boosts in stats and so on.

What we have to keep in mind is that our clients are connected to a server. Logically not every single action can be performed on the server -- in that case the server would need a lot of processing power. And logically not everything could be performed on the client -- which would open up for hacks. I suppose that Blizzard has found like a golden average in this situation; having the essential parts on the server (including stats, damage calculations etc).

I am fairly certain that there are hacks out there. I suppose this is common knowledge, so; If you go out and buy an old Sony BMG copy protected audio CD and install the embedded player, you will get a nice rootkit installed on your system with it (in order to protect their precious intellectual property *sigh*). You can then create a folder with a few special characters in it, which literally hides it from the rest of the system INCLUDING the warden. The file is there, you just have to type the exact path to get to it. All processes running that belong to that path will also be hidden. This has been used, and probably still is used in order to allow older hacks to work with WoW even after they were added to the Wardens blacklist.

About the speed hack I'm not sure. This could be one of the details that are in fact located on the client. To test it out, I guess you could wait for some nasty lag and while running trying to use different speedbuffs and potions. Take note of when the potion is consumed and expired and when the actual speed buff sets in. If you notice a delay here, it's possible that there are speed hacks in the wild.

That doesn't worry me that much tho. On my server the main problem is that the horde just doesn't die. At level 49 we had a warlock in the horde team that we constantly faced in WsG. Basically, no matter what gear you had, if you saw her you were better off running the other way. Seing her bring down 5 people at once without losing even 5% hp was not a rare sight. You could just bash and bash and bash to no avail. Contacting a GM about this rendered the result "That's strange, but I suppose she just has very good gear". Her gear was practically the same as my mage friends (we looked her up on the armory), and he kept on being run over by the horde train just like the rest of us. At this time she had over 15k honorable kills.

Share your stories and thoughts :)