Invasive Roots of Anti-Cheat Software

Alissa Torres

Some of the most sophisticated rootkit behaviors are implemented by today's anti-cheat gaming software, in a constantly evolving game of cat and mouse. Game hackers often look for flaws in a system or program’s logic, seeking to exploit them for their own performance gains. As cheats evolve to evade detection, so do the anti-cheat software products, employing hooking mechanisms to catch the newest subversions. Often the effectiveness of an anti-cheat implementation will affect legitimate users’ enjoyment (no one likes to play with cheaters, even cheaters themselves!), making it highly profitable for game developers to focus on improving this technology and expediently identifying game hackers. As a natural consequence, anti-cheat software has grown more invasive and intrusive. For example, a recent version of VAC (Valve's Anti-Cheat Software) was found to scrape gamers' system DNS cache in order to spot commercial game cheats and ban users. Just what else is being extricated from our gaming systems and which products are the worst offenders?

By analyzing system memory, several anti-cheat software implementations will be isolated. With a cadre of reverse engineers, we will walk through just how these products are monitoring for game hacking behavior and if any of these techniques call into question aspects of their End User License Agreements.

Bio: Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events (those being the best events, obviously!). In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, GCIH, CISSP, EnCE, and CFCE.

Back to BSides Las Vegas 2014 video list