Source: ArenaNet

While nobody likes a cheater in online games, sometimes how a company monitors and bans cheaters can go wrong. Such is the case with a recent ban fest unleashed by ArenaNet for their Guild Wars 2 game, which used a program that monitored all processes running on a computer for blacklisted programs.

It all started on April 12th when Chris Cleary, the Fraud, Risk, Analytics and Game Security Lead for ArenaNet, posted on Twitter some comments that are now known to be related to ArenaNet beginning their mass ban. These tweets have since been removed, but you can see an image below that someone posted to Reddit.

 

Deleted Tweets
Source: Reddit

The last tweet Cleary references is a post in the ArenaNet forums titled "Game Accounts Suspended - April 12, 2018', where ArenaNet detailed how they banned 1,583 accounts for the "use of illicit third-party software".  This post goes on to say that the accounts were banned for breaking the Guild Wars 2 User Agreement and their Rules of Conduct

These rules include not attempting to "interfere with, hack into, or decipher any transmissions to or from the servers running Guild Wars 2", "exploit any bug", or "use any third-party program" in regards to Guild War. Those users who were caught during the banwave had their accounts suspended for 6 months and ArenaNet stated they would not be "accepting appeals about these account suspensions."

It's never good to ban a reverser

The problem is that one of the people who they caught in this net of bans is a well known security researcher and reverse engineer named Fabian Wosar.

When he logged into his Guild Wars 2 account and discovered a message stating that he was banned for modifying or tampering with Guild Wars 2, he immediately became suspicious and started poking around.

Ban Message Shown to Suspended Users

In a Reddit post, Fabian outlines how he discovered that Guild Wars 2 introduced a "client-side spy component" on March 6th, 2018 which was used to monitor all of the processes running on a computer. While running, MD5 hashes for the running processes were computed and compared to a list of MD5 hashes of blacklisted programs. If their was a match, this information was sent back to ArenaNet's servers.

Those who were running these offending programs were subsequently banned due to this process. This program was then removed on March 27th, so anyone who was banned in this round probably got caught using a blacklisted process during that timeframe.

In Fabian's case, he was quite surprised as he was not using any of the running programs in relation to Guild Wars 2. Instead, one of the programs detected was running because he uses it for security research.

"Cheat Engine is a memory debugger that I use for quick memory inspection and tinkering" - Fabian Wosar

Obviously, Fabian and many other users felt violated by the fact that ArenaNet was monitoring processes on their computer without their knowledge. This type of spyware-like behavior is definitely not one would have expected from a well known and liked game like Guild Wars.

Furthermore, if you can get past the fact that they were monitoring your processes, Fabian told Bleeping Computer that instead of just checking to see if the blacklisted programs were running, they could have checked to see if they were actually using these programs to cheat in Guild Wars 2 as outlined below.

"In case of MMOMINION they can check for the code that they inject into Guild Wars 2. No need to scan anything external. MMOMINION does remove its DLL from the list of loaded modules, but that doesn't stop you from just looking for their mappings and detect those.

In case of Cheat Engine, they could simply obtain the list of all open handles of the process and see if it has the Guild Wars 2 process opened, which would indicate that Cheat Engine is attached to it."  - Fabian Wosar

Using the above method would have reduced the risk of banning people using the programs for tasks unrelated to Guild Wars 2.

ArenaNet Admits it banned users who were running certain programs

On April 14th, ArenaNet added a new post to their ban topic stating that "they targeted programs that allow players to cheat and gain unfair gameplay advantages, even if those programs have other, more benign uses.". The list of programs that were targeted are:

  • CheatEngine
  • Nabster
  • GW2MHRexe
  • UNF
  • MMOMINION

ArenaNet 's User Agreement includes a section that states that they may conduct this type of behavior in order to determine a user is in compliance.

Guild Wars 2 User Agreement
Guild Wars 2 User Agreement

Unfortunately, this announcement further infuriated users who felt like they were collateral damage as there was no apology for their program's spyware-like behavior and that ArenaNet appeared to not care that some people were suspended for no good reason.

"I just think they overstepped what is and isn't okay. They openly admitted that they banned users who had programs running, that had other uses besides cheating, and they simply don't care about it."  - Fabian Wosar

Others on Reddit are fired up as well, with one user having allegedly called FTC regarding these bans.

Bleeping Computer has contacted ArenaNet with questions regarding these bans, but had not heard back by the time of this article's publication.

Related Articles:

NSO Group Rejects Citizen Lab's Findings on Pegasus Operations

Study of 17,260 Android Apps Doesn't Find Evidence of Secret Spying

Unsophisticated Android Spyware Monitors Device Sensors

Huawei & ZTE Banned From Providing 5G Equipment in Australia

New Android Triout Malware Can Record Phone Calls, Steal Pictures