Rootkit Anti Cheat In Games

In the ever-evolving cat-and-mouse battle between cheaters and game developers, Riot Games is taking expanded measures to protect legitimate players in its new tactical combat game

Easy™ Anti-Cheat is the industry-leading anti–cheat service, countering hacking and cheating in multiplayer PC games through the use of hybrid anti–cheat mechanisms. Pioneering Security Our approach is constantly evolving, which results in fewer hacking attempts, no false positives, and a healthier, more enjoyable community. XignCode3 is a rootkit used in many Asian games as an Anti-Cheat. It is highly intrusive and will result in System instability, Extreme resource usage, a drop in FPS in-game, SSD Failure due to excessive writes and no warning from most anti-virus software. From STEAM forums - https://steamcommunity.com/app/323370/discussions/0/854751238/. Removing riot games rootkit Removing riot games rootkit. By VTurer June 8 in. As in just removing their Vanguard anti-cheat from Programs and Features inside Windows. So, please be a good person if you are playing in a lower rank and not take the game seriously and just play laid back. No need to drop 50 kills and ruin game experience for everyone else. Just chill out, mess around, and do your best to play normal to create a fair playing field in ranked matches. Which added Denuvo Anti-Cheat to the game. Id’s intentions were to protect players from cheaters efficiently. But they did so in a way that could potentially harm them. Denuvo Anti-Cheat is in fact a rootkit that gets access to the kernel level of your system. Which means it has maximum access to your entire system.

Valorant. But Riot's new Vanguard anti-cheat system—which involves a kernel-level driver that has very low-level access to your system—is raising some eyebrows among both players and security experts.Rootkit

While the Vanguard anti-cheat client only launches when Valorant is being played, Riot says the system also makes use of a 'kernel mode driver' that starts operating as soon as Windows boots up. That's a big change from Riot's pre-Vanguard anti-cheat systems, which operated entirely at the more common 'user mode' level, just like most Windows executables.

The old anti-cheat system gave cheaters a big advantage, Riot says, since those cheaters could use code-signing holes or Windows corruption exploits to create cheating software that runs at the kernel level. With that more privileged access to the system, those kernel-level cheating tools could make themselves look completely legitimate to user-level anti-cheat tools (which have more limited visibility into the inner workings of the OS).

This was like 'effectively giving cheaters a much-needed, twelve-stroke handicap,' Riot said in a February blog post. 'We haven’t needed both arms yet, primarily because we have the advantage of steady paychecks and the lack of strict bedtimes at our immediate disposal. But as much as we might like the idea of an ever-escalating appsec war with teenagers, we’re now entering a multi-game universe where linear time and sleep deficits will make this particular strategy untenable.'

Panicking over kernels

With Vanguard, Riot would like to patch up this hole with a kernel-level driver that can hopefully detect any and all abnormalities running at the user level. That doesn't make the game impervious to other kernel-level attacks, of course, but it 'requires a different (more strenuous) approach from cheat developers to attack,' Riot anti-cheat lead Paul Chamberlain told Ars in an email.

'For cheat developers operating at the kernel level, they need to work around the restrictions Microsoft places on kernel level software,' he continued. 'This extra work reduces the incentives for cheat developers because their cheats become harder to make, less convenient for players to install and just overall less profitable to sell... We don’t expect that any protection will remain unbreached forever but Vanguard’s protections are strong, and as cheat developers' tactics evolve, so will ours.'

Rootkit Anti Cheat In Games Pc

Advertisement

Despite some alarming discussions on worrisome threads around the Internet, this kind of system isn't actually that uncommon in gaming these days. Battleye, a third-party anti-cheat tool used to protect games from Fortnite and Ark: Survival Evolved, also sells itself as a 'fully proactive kernel-based protection system,' for instance.

Still, granting such high-level OS access to a game maker can make some users nervous, especially if they remember Sony's rootkit DRM debacle from 2005. So Riot is doing its best to assure users that they have nothing to fear from granting such high system privileges to the company's protection tool.

'This isn’t giving us any surveillance capability we didn’t already have,' Riot noted in its blog post (using language that isn't exactly comforting on its own). 'If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).'

'The Vanguard driver does not collect or send any information about your computer back to us,' Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week. 'Any cheat detection scans will be run by the non-driver component only when the game is running.'

“A large attack surface for little benefit”

That's all fine—if you're going to install any Riot application on your device, at some level, you have to trust it isn't stealing grandma's casserole recipe (or that it would be found out if it did). The real risk of installing a kernel-level driver, though, is the level of security exposure it creates on the rest of the system.

Rootkit Anti Cheat In Games Free

At the kernel level, any flaws in Riot's driver code could create system-wide, 'blue screen of death'-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.

'Whenever you have a driver like that, you're at risk of introducing security and reliability issues to the computer,' independent security researcher Saleem Rashid told Ars. 'You don't get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game.'

Advertisement

'DRM like this probably stops cheating in the very near term, but I'm not convinced it helps in the long run,' Rashid continued. 'All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit.'

Riot: “We would likely be able to respond within hours”

Writing on Reddit, Chamberlain downplayed these risks. 'We're... following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn't run unless the game is running).'

Chamberlain expanded on that statement in an email to Ars: 'The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode.'

Chamberlain also told Ars that Riot's own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed 'black box' attacks on the system from the outside.

And Chamberlain said that Vanguard also has code integrity checks and crash reporting functionality that could alert them to any signs of compromise. 'In addition, we have our bug bounty program and good relationships with the game security community and the broader threat intelligence community, so we would be well placed to receive intelligence about potential compromises,' he said.

We would work with Microsoft to get [any] vulnerable driver blacklisted.

If a kernel-mode code execution bug was found in Vanguard's drivers, Chamberlain says the system has been set up 'to be easy to update on whatever cadence is required (separate from game update cadence) so we would likely be able to respond within hours.' During those hours, Vanguard would be disabled on the game, and players would be instructed to uninstall it in the meantime.

'In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players' computers,' Chamberlain added. 'After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted.'

Rootkit Anti Cheat In Games

So for now, at least, you probably don't have much to worry about by installing Riot's anti-cheat driver on your system. But if hackers find any exploitable errors in that driver, users will have to trust that Riot will be able to find and fix them promptly enough to keep their systems safe from attack. And that's a level of trust Riot seems to be taking pretty seriously, all things considered.

Anti

Dan Goodin and Jim Salter contributed to this report.

  • Riot Games’ New Anti-Cheat System Runs at System Boot, Uses Kernel Driver April 15, 2020 at 9:19 am

    Riot Games has deployed kernel-level drivers in its latest game, Valorant. The drivers are intended for anti-cheat services, but they may make some longtime enthusiasts nervous.

  • Game Mod Developer Caught Deliberately Distributing Malware February 22, 2018 at 11:15 am

    While the company has since apologized, comments by the studio head suggest he still doesn’t understand the magnitude of his own screw-up.

  • New PC malware loads before Windows, is virtually impossible to detect December 8, 2015 at 9:36 am

    A new form of attack has brought a long-standing criminal malware suite to an NSA level of sophistication.

  • Dell laptops may have a Lenovo Superfish-size security problem November 23, 2015 at 2:07 pm

    New data suggests that Dell, like Lenovo, may have been shipping compromised systems for the past few months. Research on the size and scope of the flaws is still ongoing.

  • Proof-of-concept GPU rootkit hides in VRAM, snoops system activities May 8, 2015 at 1:40 pm

    A new proof-of-concept rootkit has demonstrated just how dangerous GPU exploitation can be. Our threat-detection tools are woefully inadequate.

  • TDL4 botnet: smarter, more sophisticated, and not for use in Russia June 30, 2011 at 2:30 pm

    TDL4 just might be the most sophisticated piece of malware in existence, but the good guys are on the case. And interestingly enough, no Russians have been harmed during its propagation.