Defcon panel: Bot ban waves are far apart because of profits

Blizzard chooses not to ban bots more frequently for profit reasons.

Josh Phillips and Mike Donnelly, doing a large presentation, both very knowledgeable on the subject:

“Does anybody wonder why it takes 3 months for a ban wave to happen? It’s because when you ban like 50,000 accounts in a week then those people who would rebuy those accounts never buy them again, because it gets expensive, but if you do it every 3 months or 4 months they will buy the accounts back so it’s actually profitable for the game company…”

A video of them saying this at the 35m15s mark, I wouldn’t go much past that, the vid’s pretty boring and high-level:
https://www.youtube.com/watch?v=hABj_mrP-no#t=35m15s

Also, specific to Diablo 3, There’s only one active D3 bot and they don’t change core although rotations/scripting changes. Botters expect that they could see about one ban wave per season. Ex:

It’s the same thing with D2 bots - they are easily detected they’ve been around forever and they’re incredibly simple bots to detect.

So again, the current bots are easily detected, their core code doesn’t bother to change, they could be banned frequently such that it becomes cost prohibitive but Blizzard declines to do this for financial reasons.

Therefore, this is a fallacy:
“Blizzard can’t detect bots”

And this is a fallacy:
“Blizzard doesn’t ban more frequently because botters would just change their code and make themselves undetectable again”

And this is a fallacy:
“There’s nothing we can do, we’ll always have bots”

Anyway that’s the end of the summary. If you want to glaze your eyes over with some details on Blizzard’s Warden and Donnelly’s Gliderbot, that’s below. It’s just stuff I ran into while looking into all this. There’s also a link to D2R and Blizz removing GitHub repos at the end. For many of you this is nothing new.

2004:
Blizzard: “When World of Warcraft first launched in 2004, our GM and hacks teams searched for bots manually – a process that became increasingly ineffective as bot technology evolved.”

2005:
In 2005, this manual process obviously changed. Warden was first outed and analyzed by cybersec expert Greg Hoglund in 2005:
"…it’s written like shellcode in that it’s position independent. It is downloaded on the fly from Blizzard’s servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date…here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

• dumps all the DLL’s using a ToolHelp API call. It reads information from every DLL loaded in the ‘world of warcraft’ executable process space

• uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Window [URL strings] can easily contain [sensitive personal information], for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

• Once these strings are obtained, they are passed through a hashing function and compared against a list of ‘banning hashes’—if you match something in their list, I suspect you will get banned. [This is called SBD or signature-based detection].

• Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses—usually in the 0x0040xxxx or 0x0041xxxx range—this is the range that most executable programs on windows will place their code. Warden reads about 10–20 bytes for each test, and again hashes this and compares against a list of banning hashes. [This is to detect known bots and cheats using signature-based detection]. "

Another netsec expert did a section on Warden in his bot hacking book and said this about Warden:

"[Warden] is delivered as compiled shellcode and typically has two responsibilities:

• Detect bots.
• Periodically send a heartbeat signal to the game server. The value sent is not predefined but instead is generated by some subset of the detection code. If Warden fails to complete the second task or sends the wrong value, the game server will know that it’s been disabled or tampered with. Furthermore, a bot can’t disable the detection code and leave the heartbeat code running.

The Halting Problem:
A bot that could disable Warden’s detection code and still send the heart-beat signal would solve the halting problem, which Alan Turing proved to be impossible in 1936. The halting problem is the problem of determining, with a generic algorithm, whether a program will finish running or continue forever. Because Warden does two tasks using the same shellcode, writing a generic algorithm that can disable just one task is a variation of the halting problem: the algorithm can’t be sure which parts of the code will definitely execute, which parts won’t, and which parts are responsible for each task.

Warden is formidable because you not only have no way to know what you’re hiding from but also have no way to disable the toolkit."

The major takeaways for Warden - it uses SBD. It runs in user-mode, not kernel mode. Bots and cheats have not been able to disable it or remove it, thus they have to work around it and still remain undetected. Warden’s code does not change based on a Blizzard game’s patch or update schedule - Warden could be updated any time, there’s no telling when it will change. Some bot makers have their bots set up to automatically disable themselves if Warden changes. For example, If the bots remained active they might be detected with new changes to Warden so the bot maker gets paged to investigate, make bot coding changes, recompile, redistrib, and enable and so on.

2006-2009:
Mike Donnelly’s Gliderbot comes on the scene and makes a huge impact on WoW. Gliderbot operates in part by examining the data states in the game client program, running a shadow driver to remove its process object from Windows and hooking kernel functions. On the scripting side it uses keyboard and mouse inputs to appear as human as possible but it is still easily detected.

As of 2008, it had sold approximately 100,000 copies. MDY was a multimillion dollar company operating out in the open and selling the bots. Blizzard contended in a 2006 United States federal lawsuit that the program’s use violated their terms of service. Because MDY was in USA, Blizzard could easily get to them in the courts and did so. Gliderbot and MDY were completely shut down by Blizzard through the courts where Blizz won a $6 million dollar judgement.

this would be insane if this was actually true … but it sounds pretty logical

Yeah, Phillips at the time had worked for Kaspersky Labs (well-known anti-virus) and Microsoft. Donnelly was probably the most well known botter of that era due to the publicity of the lawsuits and so on.

They were presenting in front of a crowd that always has some of their peers, the press is also involved with these things.

Everything technical throughout was on the money. It’s especially insightful since Donnelly literally witnessed those ban waves happen for years.

Then there’s the D3 bot maker - they took over TurboHud from KJ - they’re the only major player for D3 I think. The devs admitted they’re easily detectable, the bot kids even accept they might get popped every so often but as the one graphic said from that site: “…you can rebuy the game on your account and bot away with no side effects”.

I always imagined this to be exactly the case.

If you’ve ever seen a train of boomkins in WoW running the exact same farming path down to the individual step for hours with no GM jumping in to immediately stop them, you’d realize most botting is incredibly obvious from the result of their optimizations and the efficient pathways bot users usually set them to cycle.

There isn’t really an excuse to have your game full of bots in 2021.

so yes blizzard could stop them, but they would rather punish is normal players who follow the rules so they can make more money.

got it.
and they said activation only cared about money… silly people. /s

Good! This way the economy will be casual-friendly and items will be plentiful.

I don’t see the problem. =)

Uh no. That’s terrible. It ruins the economy. Hency why hrs are so cheap on JSP 4 days into a new ladder

Wouldn’t surprise me. Practically growing up on bnet taught me that the vast majority of people are complete scum, so why not scumbag reasoning for the game being ruined? Of course the solution already exists and just isn’t being used.

I’d probably be willing to pay 5 of 10 times as much for D2:R if Blizz did a weekly banwave tbh.

The real question is what is done with that money?
Diablo 2 is running for 20 years. There has been no new content in the past ~10 years at least. Is that a way to finance the servers? Or is it simply a nice extra-cut for the companies investors?

Same for D3. There has not been much extra content since RoS, so about 5 years. It only changed when they started making some Hype for DI, D2R & D4. Probably would have done even less if that “Don’t you guys have phones”-Stunt would have worked as they anticipated it.

So, since the extra-purchases do not really seem to pay back the damage that the botters are doing to the community, i also dont see any justification for it.

Maybe they dont want to break existing bots, so that they do not have to update their warden so often. That could be a cost-avoidance argument. Still, would you allow a burglar into your house every 6 months, because he left you 5$ for the broken window on his way out?

Not excusing anything but sometimes it’s just blind leadership. It was said before they wait until they felt like they found enough using the hack/bot that the ban would feel meaningful and if banned at once is less likely they will know their bot was found and will require time to patch.

The problem if that was the thinking is obvious bots, especially people that can just run code is you have hordes of people easily seeing someone bot with no consequences.

In the end it could be just about money, sadly everything is aimed at ever increasing profits with no morals on how it gets done.

I just remember back in the day having actual human mods wandering around catching cheaters and now it’s crickets with strategically planned bot bans which sour how they look in between.

Most bots could and should be able to be detected…honestly most botters just know enough to run the programs and almost always mess with the timers or do it in the open.

Okay rant over but in the end I do agree they need to step up their game.

Blizzard I think runs at ~30% operating profit margins, so there is continuous money coming in to pay their ongoing server costs even for old games.

I’d imagine. Still i can also imagine a manager stating that “every game should carry its own weight”.
I didnt crunch the numbers, but assuming that 50% of the botters rebuy their accounts, could the d2-bnet be financed by the profits, would it actually benefit the overall performance or would it be marginal value?

As the game gets old and in maintenance mode, its costs are pretty low. The playerbase has declined that results in less server costs and Blizzard are just updating to keep compatibility with new operating systems, etc…

The marketing advantage is that they can say “buy our game and we will keep the servers running for 20 years and counting”.

Ban waves do bring in some revenue as a subset of people rebuy accounts,

Still there are powercosts, replacement of parts, etc.
Of course compared to a D3 or WoW server, the D2 requirements are most likely marginal. still there are a few thousand server instances running. So that will create some running costs.

But you are correct, maybe it is part of the “marketing budget”.

Of course, they can ban bots on the spot, they always could.

Bobby Kotick bonuses.

I seriously doubt that D2 takes multiple/dozens of servers.
The game is 21 years old.
All it probably takes today is a SINGLE VM spun up in Vcenter, heck I bet that 4GB of ram would be enough to run the entire EU D2 server.
Just to give you some perspective - typical gaming PC build from 2000 would have had 128 MegaBYTES of RAM (maybe 256 if lucky to find a good deal).
Today for example I consider my next upgrade (next year if prices and availability of components permit) to have 32 GigaBYTES of RAM

With D3, the only official recurring revenue model is apparently with micro-transactions in China - the game is released there as FTP + mtx and apparently has been very successful.

Blizzard and NetEase originally partnered in 2008 to bring StarCraft II to China. They partnered again with the D3 China release and based on that same partnership and success with D3 + mtx, Diablo Immortal was born. D:I was originally only targeting China but eventually expanded internally to include other regions like NA/EU/Asia-in-general and so on.

Also, when RoS released in 2014, it sold better than D3V averaged over the next year and a half. People often think RoS and that more recent Diablo content was not as successful commercially as D3V - but it was, ex:

• D3V launch through start of 2014: 15 million.
• Post-ROS: 15 million additional for total 30 million by mid-2015.
• Total sales by mid 2015 of 30 million

Another useful stat is that RoS was selling at a 830K+ per month avg clip and Vanilla in 2013 was only 250K/mo.

And covered in another thread was the giant blunder by Blizz management to cancel the 2nd DLC of D3, most likely in late 2013. The team had been working on the 2nd DLC in parallel with releasing RoS but the management canceled it. It’s likely that this 2nd DLC would have been very successful, made lots of money, improved the endgame, and kept the playbase more active for at least a couple of years.

The decision to cancel the 2nd DLC was also heavily criticized by ex-staff during interviews.

R.I.P. Druid. You will be missed.

Well only thing to avoid this would be implementing microtransaction into the game so they dont lose money which they generate from bots baning and buying new accounts.

OW has basicly same issue with smurf accounts.