New Study Reveals Windows Kernel Defenses Fail Against Thriving Game Cheating Market
Academics at the University of Birmingham performed a technical analysis of how game cheats and anti-cheat systems work and carried out a market investigation, analyzing 80 cheat selling sites in Europe and North America over three months.
Selling game cheats is not illegal in most of the world, although some cheat selling websites have been sued by game developers, on the bases that the cheats are a copyright infringement of the original game.
The researchers found that game cheats are sold on a subscription model, with one month’s access costing between $10 and $240 dollars. The researchers conservatively estimate the combined earnings of the 80 sites surveyed as between $12.8M and $73.2M annually, with the number of people buying cheats on these websites alone as 30,000 – 174,000 per month, making this a lucrative online gray market.
Game anti-cheats work in the Windows kernel, and the complete availability of game cheats tells us that the Windows kernel protections are not as good as many people thought.
Professor Tom Chothia, School of Computer Science
The researchers investigated the techniques used in online game cheating, as well as those deployed by ‘anti-cheat’ technologies. Most modern anti-cheat engines run in the Windows kernel, alongside applications such as anti-virus, at the highest levels of privilege. Software can only run in the Windows kernel if it has been approved and signed by Microsoft. This makes it more powerful than software run normally by the user. An example of kernel level software is the Crowdstrike system that recently failed, bringing down large parts of the internet
While the anti-cheats are allowed in the kernel by Microsoft, the study also revealed that cheat software commonly uses weaknesses in Windows protections to ‘inject’ itself into the kernel and gain higher privileges. Many techniques mirror what is commonly seen in the domains of malware and anti-virus, with a difference in motivation.
Forum discussion and hands-on testing, suggests that cheat developers are commonly bypassing weaknesses in Windows kernel protection measures by exploiting vulnerable third-party drivers, allowing cheat software to get a foothold into the kernel. This allows them to bypass protections put in place by anti-cheat software, enabling users to cheat in competitive online games such as Fortnite, Valorant, and Apex Legends, all for a monthly subscription fee. This kernel injection technique has previously been observed in advanced ransomware attacks to disable anti-malware protections before the main attack.
The researchers found cheats available for every game they looked at, meaning that no anti-cheat system is unbreakable. The team developed a series of tests used to benchmark the effectiveness of each anti-cheat solution, finding that the games Valorant and Fornite have the strongest defense, with Counter-Strike 2 and Battlefield 1 having the worst. Comparing these results to the market analysis, they find a strong correlation between the strength of an anti-cheat and the price of a cheat which breaks it.
Sam Collins, the lead researcher on the project, said: “It’s fascinating to see such advanced attacks deployed in this context. It presents an intriguing counterpoint to more traditional and harmful malware, such as ransomware.”
Co-author Professor Tom Chothia, added: “Studying cheats and anti-cheats leads to a better understanding of protections on Windows. While no game has an unbreakable anti-cheat, cheaters have to pay a lot more to cheat at games with stronger defenses. Game anti-cheats work in the Windows kernel, the complete availability of game cheats tells us that the Windows kernel protections are not as good as many people thought.”
Dr Marius Muench further noted: “It is surprising that there is a large-scale economy behind game cheating and defenses against it, which is largely ignored by the cyber security community, even though there are well defined attacker and defender models.”
Game cheats are considered a type of Man-At-The-End (MATE) attack, where the attacker has full control over a system. Unlike a traditional virus/anti-virus situation, the end user is the attacker and will help the attack succeed rather than try to prevent it. This work represents an important example of MATE attacks being traded and deployed on a mass scale.
The work is described in the paper “Anti-Cheat: Attacks and the Effectiveness of Client-Side Defences” by Sam Collins, Marius Muench, Alex Poulopoulos and Tom Chothia which was presented at the workshop on “Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks”, Friday the 18th of October. Salt Lake City, U.S.A.