Trying to get a tiny bit wiser regarding detection, as to how to approach Blizzard

Hello all,

I am currently trying to help out some people regarding how to approach Blizzard. Since Blizzard at this point hasn't revealed any information on how they identified HB and what method they used, it's clear that one need to be careful about how to approach them. This is of course completely intentional, as there would always be possible to find more or less legit explanations if you know their methods.

Please don't derail the thread with anything but what I'm asking (opinions on legal issues, and whatnot, just because you just have to).

What we know, is that some people got busted on some accounts and not others, on the same PC. That pretty much rules out that it's a disk scan only issue, unless wow/HB was run from different users with different disk access rights (unless of course, Blizzard detected so many accounts they just randomly picked a subset to lessen the impact). I am curious about a few things, though:

• Was the HB program active on your PC whilst logged into an account that wasn't banned during the suspected detection period, but never executed any bot/script on the unbanned account?
• Did you run HB with a renamed bot directory and executable, or even altered the executable so that it would return a different checksum/hash if scanned?
• Did anyone run WoW in user mode, and HB as Administrator, so that WoW wouldn't have access to read process/task lists not ran on the User account?
• Did you run the launcher, or just WoW?
• Did you run HBRelog or similar program?
• Did you ever run HB on one char and relogged to another without stopping HB, such that it attempted to cast spells/attacks and such that belongs to another class? (this would be literally impossible to do on accident, unless you deliberately made macros to spam mass amounts of bad spells on the wrong class via LUA calls).
• Did anyone run HB as Administrator and WoW as another User and restrict access to the HB containing dir/disk to the Admin user so WoW couldn't read its content (file lists or the log files of HB)?
• Did you check if you were banned on the bnet account list on battle.net or in the Blizzard launcher, before you actually logged in to the game (was the detection related to logging in somehow?)

What is clear is that Blizzard refuse to provide proof for their reason behind termination of their account. This is pretty dodgy according to several trade/merchant laws (if you disagree about that fact, you are free to do so, but leave it out of this thread), so it's obvious that they are willing to take risks by withholding this information. This makes me suspect that they have detected HB in a way that can't be unmistakenly linked to activities on a specific account, or in fact they detected HB by means that could be easily circumvented (i.e. external detection/scanning and not in-game detection of data sent to the game client itself). Nevertheless, I suspect that they now are buying time and are taking the risk and will re-enable the accounts if the method indeed is illegal or in such a way it can't be linked to an account with 100% certainity to avoid the shit storm.

Why am I asking? Because I'm helping someone out who got banned, without actually botting his account. However, HB was running on the PC but not attached to the game, but at this point we're unsure if it could have been attached by mistake at some brief moment (no actions, just running Enyo, although it still means it could have cast some spells like missing buffs and so on) before it was shut down. He did definitely not run any actions or movements, that would be considered "running a bot". We need to figure out a bit more, in order for him to be able to appeal this in a way they can't refute based upon evidence.

Please no speculations and noise. If you're not absolutely sure about one of the things I'm asking, it is better to not answer it. I know there is a fair chance that someone will deliberately plant false information in this thread, but I hope some reputable people can provide some insight.

 

Haven't tried yet, but I assume WoW would request permissions or not run if it wasn't as admin.

Then again, certain programs can read enough without being admin and all they need is a hint and they can watch from there

 

I can run WoW from my guest account on this PC (Win 8.1) and it's possible to use auditing/security tools to stop access to process lists of other/elevated users if something is accessible by default. At least it used to be, when I worked on securing web servers running Win NT 3.51/2K/Vista. There are also tools that would "sandbox" WoW within its own directory and you'd have to explicitly allow accessing files outside of its folder. In hindsight, everyone should have done such things, because then we'd know for sure that detection happened based upon changes to wow processes or because of data sent from the bot to the client. Well, beyond the scope of this thread anyway.

 

1) No
2) yes - renamed directory
3) no
4) just wow
5) no
6) no
7) no
8) I was online botting when the ban happened, both accounts kicked off

2/2 accounts banned.


Hope this helps

 

I can't really give any insight on possible methods used to detect HB. But I know for a fact that the detection must have taken place somewhere between 26th April and 6th May. I know this because my partner who never bots on his own computer because his computer is really crappy and can't even have a browser open while playing WoW, botted on my computer during his visit (he lives out country). This was between 26th of April and 6th of May. Then he went home again and as we all know, got banned as well at 13th of May. I myself botted on 2 accounts. Mostly running seperately on my Desktop and my laptop, since that goes smoother and less lag or suspicion if Blizzard would see 2 accounts running on the same device.

I will awnser the questions below:

Was the HB program active on your PC whilst logged into an account that wasn't banned during the suspected detection period, but never executed any bot/script on the unbanned account?
Yes, I had my bots running on both my PC and laptop during this period.

Did you run HB with a renamed bot directory and executable, or even altered the executable so that it would return a different checksum/hash if scanned?
No, I never do that. I am not experienced with those kind of shenanigans

Did anyone run WoW in user mode, and HB as Administrator, so that WoW wouldn't have access to read process/task lists not ran on the User account?
I believe I ran both WoW and HB in normal user mode. Although I do always get the annoying pop-up message if I want to open the program, I never bother to turn it off in Windows.

Did you run the launcher, or just WoW?
I run WoW (32 bit) as standard (no launcher) since I want to be able to enable the bot without having to log out (since I do play a lot by hand, except leveling toons or full Garrison runs).

Did you run HBRelog or similar program?
Never used HBRelog since I read several times that it highers the chance of getting banned (not sure why though).

Did you ever run HB on one char and relogged to another without stopping HB, such that it attempted to cast spells/attacks and such that belongs to another class? (this would be literally impossible to do on accident, unless you deliberately made macros to spam mass amounts of bad spells on the wrong class via LUA calls).
-This- in fact happened A LOT on my behalf. I sometimes used a CR if I was bored in LFR or afer doing Garrisonbot on one of my toons and then as soon as I log in the character goes and collects ores/herbs again (since that's just part of the botbase) But when it gets into a fight for example, it does tells me that I can't use this spell etc. Since I forgot to relaunch HB.

Did anyone run HB as Administrator and WoW as another User and restrict access to the HB containing dir/disk to the Admin user so WoW couldn't read its content (file lists or the log files of HB)?
Simple awnser...No.

Did you check if you were banned on the bnet account list on battle.net or in the Blizzard launcher, before you actually logged in to the game (was the detection related to logging in somehow?)
I never use the battle.net app since I use 32 bit as standard so I can load HB whenever I want without relogging. My main account got banned. Ten minutes later my second main account got banned. I logged on the Battle.net website, but both accounts were still listed as "active". Took around half an hour for it to change to "banned".

Just finished a manual ICC run by hand at the moment I got banned. (No bots active). Funny thing is. The account (my main) was not online while the ban occured. I noticed it when I had finished my ICC run on my second account and wanted to relog to my main account when my partner on Skype told me he was banned for 6 months. I was all like..."Aaw...that's lame" (I even thought he was joking at one point) then ten min later I got banned too. Ten min later, my second account as well

 

i keep my honorbuddy folder inside my WoW/Interface/Addons folder and went undetected for months. but i also had a soda can over my router antenna. so, go figure

 

So, you weren't caught?

PS: My router doesn't have an antenna

 

I think you're onto something with the soda can. Honestly though, I'm trying to rule out explanations and not add to them. Elimination methods are usually better than brain storming.

I don't think it was related to disk scanning, but it could be registry scanning (HB is listed as an installed application, which I find risky) or process scanning; finding "HonorBuddy.exe" in your process list at the time you start the game or log in is pretty much giving you away, even though they can't prove you ran it to your advantage on that specific account.

 

im kinda nub, but isnt the registry on the disk?

where is that list found again?

everywhere i look, it lists the specific wow process that hb is linked to.

changing people's minds on this forum is like trying to tell people Jesus didnt sleep with whores, even though there is no mention of it in the bible.


if we are going to go out in the woods with the story telling, then why not a network commanded screen grab utility integrated into the wow client.
------DISCLAIMER THIS IS ONLY PROOF OF CONCEPT, NOT THE ACTUAL PROGRAM

then a simple program to look for the little gray box that is honorbuddy.

 

HB is listed in the registry as an installed app.. it's not in the "uninstall programs" list.

 

see, told you i was nub

 

Sure, it's stored on disk but it's present in memory. Apps can access the keys in the registry through the Windows API and read straight from there, without having to touch the disk through the regular file handling API. If you run WoW under an admin account, WoW would be able to read anything from there.

Besides, you can uninstall any app without it being removed, if you have copied or moved the installation folder so that if it even appear in the list of installed apps in the control panel, it can be removed from there. I vaguely remember HB also appearing in that list at some point, but I might remember wrong.

That's right, but once HB is attached to a WoW process, it stays connected to that process no matter if you swap char or log out and into another account. HB doesn't complain if you swap char or even log into another account (it really should have an option to shut down on char change to prevent accidents, i.e. trying to buff BoM on a Mage or logging in to a clean account).

How about stopping to tell people anything and get some fresh air?

Programs like that exists and WoW already has a Screenshot feature. If they wanted to, it would be no problem to make it snapshot the entire screen instead of the WoW window and fetch it. However, they'd be sued to hell and back it they attemped to do that and got busted; as well as going through allegedly 100K+ screenshots? Likewise, it would be no problem detecting HB from just reading the process list if the executable isn't renamed and eventually find its path and fetch your HB logfiles. Even if they don't contain your full char name, they are only partially masked and not really hard to link to your chars on your accounts. The only safe thing would be to give the exe file a random name at install time like some other shady programs do and run wow with security settings so it can't read the folder of HB, to stop the process from being identified by hashing or similar.

 

challenge accepted!

this thread is a dismal rehash of 30 other threads.
and here is a statement from a developer

BOOM!! Headshot

 

Can we find a better way to rename the executables and their descriptions?

DarkDog and others,

Nobody flame me please but it seems to be that "charity should start at home" or in this case ... Bossland needs to help us by cleaning their executables for starters. If you right click on the HB executable and go to details, EVERYTHING is there! Surely there's a way for Blizz to access that with their homemade "malware", no? I mean it's all right there plain as day.



And as has been discussed here already, you need to change your executable name but even then, if you bring up your processes although HB appears under Image Name as the renamed exe, the damned Description still says Honorbuddy!



I am not a programmer and so if what I'm about to suggest is stupid, dumb, etc... please forgive me BUT can't Bossland sterilize their executables? Get rid of all traces of Bossland, Honorbuddy, etc... Better yet, use Descriptive info from a basic Windows exe like mspaint.exe or something that no one would look twice at.

How about Bossland actually help us by sterilizing their files as much as possible and we'll do what we can as well. I'm afraid I don't know how to remove the properties details as only 3 of them seem available to be deleted. That still leaves lots of obvious "name dropping" for Warden and malware to find, no? And I don't know how to change the Description under the processes even when I rename the executable.

I've been botting for 3 years without a ban but I work really hard at hiding the damn thing as best I can and yet every time I know that information is right there if someone wants to look for it.

Am I completely wrong here? Perhaps I just don't understand the subtlety...

EDIT: And how about removing it from the list of Installed Apps in the Uninstall or Change Programs and Features? Couldn't that be another place to look for Blizz? I've gone ahead and removed it myself using CCleaner but why put it there *IF* Blizz can just look at that list with their "malware"?

 

The current bans aren't about end user not botting carefully or hiding the program better. HB was detected. I always follow the ban reports, and you will notice a common theme after the last trip wire. Ban reports started coming out with the same thing over and over after submitting a ticket to get unban " they told me they could actually see HB running on my system." I dismissed them at the time, we all did. You can bot 1 min,24/7,same ip,dif ip or what ever it doesn't really matter. Bliz could see HB running on your computer.If you were on during the days/weeks they were scanning for it, you got the hammer !

 

Odd, I was botting on one account, while pvping on my main account only my botting account was banned.

 

That's exactly one of the things I'm looking for. There seems to be no pattern in what people were actually botting, apart from the fact they were running HB. That means the bans aren't likely based upon reports or scanning for behaviour patterns (quest order while leveling, fixed move-to coordinates in Garrison bots etc.). If in fact they scan something and did not detect HB itself mocking with the WoW executable, it might be a random selection of people, or did you happen to run your main account in 64bit mode? Maybe they base it upon the presence of HB on your system whilst running a 32bit client, and would have a hard time claiming you botted if you're running a 64bit client. Could be that certain accounts were already flagged somehow and thus only those were scanned.

So, detection is either based upon detecting it in the environment (i.e. disk, process list, registry, memory) [1], the game client somehow detecting that HB is sending something [2], or a combination of signs that makes it more likely than not that someone botted (32bit client, behavioural, 100% activity in combat, interrupts) [3]. Or, manual reports of botting activity [4].

[1] I don't think it's a coincidence that Blizzard also changed their ToS about the same time, claiming the right to scan your PC. I registered another bnet account not long ago too, and I noticed they added an explicit check box that permits Blizzard to scan your computer for non-compliant software (can't remember this option from last time, but I might just didn't pay attention). It might have been some code doing just this, but was only temporarily enabled to not give away what it scanned, and to remove proof of it because such a sweep scan could raise legal issues in a lot of countries (aka. a temporary malware attack as devs mention).

[2] As far as I understand from other sites that are dealing with the finer code details, it seems highly unlikely that HB was detected due to injecting stuff into the WoW process, unless HB or combat routines are injecting something that is unique to HB which can't be attributed to normal user behaviour (I do have a slight idea on these issues, as a former hax0r, writing stack smashing code and all kinds of fun oddities, including reverse engineering and disassembling stuff to bypass all kinds of protection, although I only have information on WoW from seemingly credible places).

[3] All I can say that real time analyzis, or even data mining logs later, is extremely resource demanding and hard, unless there are easy to spot patterns that can only be attributed to running a bot. Considering the extreme diversity of what people used the bot for, we can pretty much assume that this wasn't the case.

[4] Gathered manual reports. Not likely, unless cheat reports were combined with info on running 32 bit clients and other activities that made it very probably that someone botted.

(Inbefore Frosticious posts a message that the Devs already addressed this by saying they suspect temporary attack from malware and hence rendering all other questsion invalid).

 

See my other answer to Snotya. Did you by any chance run your main account in fullscreen 64bit mode whilst playing, but the botting client was obviously 32bit? I know that when I play and bot on another account, I prefer to play at fullscreen 64bit, because of client speed/FPS issues. Doesn't even mean you were detected at that moment, it could be they just ran a batch job to ban already flagged accounts.

 

You might want to make sure the gun isn't pointed in the wrong direction when you pull that trigger.

 

you're doing good work here. soon we can add your name to the Master Chart