Wayne Frazee.com
Login
The Threat to Avatars of Virtual Worlds

Originally posted on my corporate blog at http://blog.avanadeadvisors.com/blogs/waynea

These days, it seems you cannot turn a page in a gaming journal without seeing an advertisement for some new Massively Multiplayer Online game of some kind.  You have MMORPGs (Role Playing Games), MMORTS (Real Time Strategy), MMOFPS (First Person Shooter AKA Action), MMOA (Adventure) games,  and a handful that do not fall into any neat category.  Recently, however, a series of events have been raising the profile of security awareness on theses systems as people have concentrated on ways to attack the systems themselves from within the framework of the game.

Most Recent Incident

Take this most recent incident from Second Life, for example.  For those not familiar with Second Life, a company called Linden Labs has created a world wherein players can create new objects and barter based on an artificial currency which can be purchased, et al, from Linden Labs for use in the game.  What makes Second Life noteworthy is the ability to purchase "land" in the virtual world and setup persistent structures and mechanisms by which to use the game, including digital storefronts, casinos, and there are even a few organizations which have undertaken to purchase land and construct a persistent advertising booth, such as Sun Microsystems.    As a side effect of the freedom granted the player to create persistet objects in a shared world, there has come an increased vulnerability to players being able to build objects that take advantage of the in-game scripting framework.

On Sunday, November 19th, one or more players entered the Second Life world and created a self replicating object which took the form of a gold ring, similar to those of familiar games like sonic the hedgehog.  The interesting thing about this otherwise simple scripted model is that this new object had attached a scripted action whereby when a player interacted with the ring inside the Second Life world, the ring would replicate onto the player.  Big deal, right?  Actually it is.  These objects replicated onto thousands of players within a few hours because each player that investigated a ring just sitting in midair in the game spawned a new ring of thier own because of the embedded object script event.  Within hours, these objects were so numerous that the database farm providing the backend object tracking and information store for Second life had slowed to the point that the game was becoming unplayable.

But It's Just a Game

When I first saw the stories making the rounds on blogs, forums, and eventually SecurityFocus, it was hard not to adopt an attittude of "its just a game, who cares?"  The fact here is that Second Life is a business of Linden Labs.  A business which is paid real money by real players.  While browsing the Second Life community pages, I noted a player upset because they had made a bank transfer to gain extra credits in the world.  The bank still had the transfer.  The world did not have the credits.  Another player was annoyed because they had purchased the right to upload a model and some textures to build an object in the world.  At the time that the Second Life grid was relaunched, it appeared that these uploaded objects were gone however the money was not rolled back accordingly.

Thats what I personally find so interesting about this particular attack.  In Second Life the relationship between real life money and the world itself is highly apparently and very direct.  Unlike many RPG games, where you spend money to obtain an avatar or to keep a persistent charachter, and then your abilities are based on gameplay, Second Life uses in-game dollars to assist the player in owning things in the world.  The rights of the players are directly based off of these dollar amounts, which players must purchase with real money.  If attackers can locate a mechanism by which to slow the game to a point where these transactions cannot be accurately processed, there becomes a highly visible monetary loss experienced by the playerbase directly, instead of the mostly theoretical losses incurred by game publishers when a game like World of Warcraft goes down for a while.

The Dangers of Scripting Freedom

This is not the first time that Second Life has faced this same threat. 

On September 18th, Second Life was forced to suspend logins to fix a self replicating object attack.
On October 2nd, Second Life was downed with a grid attack.
On October 6th, Second Life suspended player login to fix another self replicating object attack.
On October 8th, Second Life was forced to yet another login suspention for a self replicating objects attack.
On October 8th (afternoon), Second Life was forced to shut down for the second time in a day for a self replicating objects attack.
On October 8th (evening), Second Life was forced to a third shut down due to residual objects from the second attack.
On October 9th, Second Life was forced to shut down for another attack.

Following the rapid attacks of the 8th and 9th, Second Life integrated a "grey goo fence" which was a set of code filters on scripts to attempt to prevent exploitive attacks against the underlying system grid in order to guard against self replicating objects.  STill, we can see that this most recent attack happened and took down the grid again on November 19th.  Reading the comments in the Second Life blog post, I noticed that several avatars are commenting on the implemented filter and that there has been some testing on methods to circumvent the filter and create further objects for replication.  I would be interested to know the actual cost for each of thes outages in terms of money lost via people not converting or not buying objects, et al. 

While hunting around on the blog site, Linden has seen fit to build a series of security posts warning players against various forms of phishing scams, purported game hacks, use of programs to copy objects without actually creating them, and commenting on real security breaches like that of the September 6th Database Intrusion which exposed some player information as well as some of the game and website source code to an external intruder.

Not an Isolated Incident

Unfortunately, while Second Life provides some of the strongest examples of these attacks because of the direct relationship of the game to real money as well as the scripting and modeling freedoms accorded the player, Second Life is not the only Massively Multiplayer virtual world to be affected by these types of attacks. 

In Blizzard's popular World of Warcraft game, following the implementation of monsters which create a contagious plague on players, some players were able to use the monster to bring the plauge to populated areas of the game, resulting in entire cities full of hundreds of online players being infected by the monster's malady.  This forced Blizzard to remove and restrict the new NPC (non player charachter, an artificial lifeform in the game) to a limited environment.   The developer responded with a patch for the game which restricted both the charachter and the illness that it generates to a dungeon (a specific area designed and implemented to create an adventure for in-game charachters).  Blizzard, in 2005, also created a specific hacks team which investigates and prosecutes hacking in the World of Warcraft game according to the games Terms of Service, which include removing completely a player's account.

In Electronic Arts's Sims 2, players used a file export exploit to propigate a series of illicit modifications to in-game objects via files posted on community sites for others to download.  In these files, the users would place objects that behaved in different ways or changed the frequency of a given event (making an event that happens once in a while happen every time, for example) for a number of objects in the game.  These file imports would then modify the game of the person using the shared objects, spreading the hacks whether the importing user wanted them or not.  In response, Electronic Arts modified the online exchange to display the modifications made to any given uploaded file.

Security Disciplines Transposed to the Gaming World

Having once worked for a game developer, I still find myself interested in how many of the infrastructure disciplines that we apply in the field also apply to the gaming vertical as well.  Threats from self replicating objects, risks to business models, disaster recovery implementation, the same principles that we apply to an insurance agency, a Fortune 500 oil company, or a mom-and-pop accounting firm apply to the organizations that build and host these massive online games.  Companies like Blizzard are realizing this principle and are expanding thier Information Services teams to hire on Backup Administrators, senior network administrators, and security specialists to address these very real threats and the financial risks that these threats present to a large game developer and publisher.

As the online gaming worlds continue to become more complex, and the safeguards that protect them mature, it will be interesting to watch to see if the sophistication of the penetration and subversion attempts continues to do so as well.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.