Late last week, ArenaNet, makers of the MMO Guild Wars 2, suspended over 1500 player accounts it suspected of cheating. According to one of the players caught in the sweep, the studio accomplished this using what some users and experts are calling spyware to monitor people’s computers for known cheat programs.
Image: ArenaNet (Guild Wars 2)
“Today, ArenaNet suspended 1583 accounts involved in the use of illicit third-party software,” a representative for the company said in a forum post on April 12. They said the suspensions would last six months and not be open to appeal, before going on to advise players to remove any “illicit third-party software” from their machines lest they become the victims of malware or computer viruses.
Fabian Wosar, a player based in Germany who also claims to be a security researcher, was one of the players suspended and used it as an opportunity to investigate how and why he was targeted.
In a lengthy Reddit post on April 13, he said he had reverse-engineered a 32-bit version of the game’s client released on March 6. According to Wosar, this version of the game client, which was live until March 27, allowed ArenaNet to periodically check whether other processes running on players’ computers simultaneously matched a list of cheat programs.
While Wosar admitted to using bots to farm in other games such as FF14 and Path of Exile, he said he’s never used them for Guild of Wars 2 because it isn’t as grindy. Instead, he believes his account was flagged simply for having the other programs installed on his computer and potentially running in the background.
On April 14, an ArenaNet rep posted a message on the game’s forums saying that “1516 accounts were suspended because we detected that the accounts were running Guild Wars 2 at the same time as one or more of the following programs over a significant number of hours during a multi-week period earlier this year”. The post listed the cheat programs it recently checked for.
CheatEngine is a memory editor that can be used for things like getting infinite ammo in a multiplayer shooter as well as modding games. Screenshot: YouTube
Wosar had fretted that ArenaNet’s approach could flag people who might be innocently be running programs the company doesn’t like even if they weren’t using them on Guild Wars 2.
“I am working for an anti-virus company,” he wrote in his post. “I have a ton of tools running that can be used for hacking games. Process Hacker, Cheat Engine, Wireshark, IDA, x64dbg. Was I now banned because I forgot to close all my work stuff after work or because I grabbed my daily reward during lunch break?” CheatEngine is one of the programs ArenaNet said it monitored for.
ArenaNet hasn’t been clear about what they’re checking hacking programs for and whether they’re ensuring that they are being used on Guild Wars 2. In their April 14 post, they said, “We targeted programs that allow players to cheat and gain unfair gameplay advantages, even if those programs have other, more benign uses.” ArenaNet did not respond to a request by Kotaku for further comment.
Wosar initially feared ArenaNet was indiscriminately monitoring all programs running on user’s computers and having that data sent back to its own servers. Subsequent research by him and another Redditor suggest it was only retrieving info on matches for the blacklisted programs. Wosar still doesn’t like it.
“A lot of people will probably feel uncomfortable knowing that a game they play accesses all the programs running on their system and reads a lot of files that it has no business reading in addition of potentially sending some of that information back via the internet to their servers,” he said in an email to Kotaku.
Two security experts Motherboard spoke with said they would both characterise ArenaNet’s methods as a form of spyware but noted that, in the larger scheme of things, it was not very complex and would be easy for savvier users to bypass now that they know it exists.