Windows kernel defenses not enough to stop lucrative gaming cheating market, study finds

Hackers commonly bypass Microsoft Windows kernel protections to enable cheating in competitive online games, according to a new study. Academics from the University of Birmingham carried out a technical analysis of how cheat and anti-cheat systems work and conducted market research, analyzing 80 cheat sales sites in Europe and North America over three months .

The work is described in the article “Anti-Cheat: Attacks and the Effectiveness of Client-Side Defenses” by Sam Collins, Marius Muench, Alex Poulopoulos and Tom Chothia which was presented at the workshop on “Research on offensive and defensive techniques in the context of the Man At The End (MATE) attacks, in Salt Lake City on October 18.

Selling cheat codes is not illegal in most countries around the world, although some websites selling cheat codes have been sued by game developers, on the grounds that the cheat codes constitute a violation copyright of the original game.

Researchers found that gaming cheats are sold on a subscription model, with one month’s access costing between $10 and $240. The researchers conservatively estimate the combined revenues of the 80 sites studied at between $12.8 million and $73.2 million per year, with the number of people purchasing tips from these websites alone ranging from 30,000 to 174,000 per month, making it a lucrative online gray market.

Researchers have studied techniques used in cheating in online games, as well as those deployed by “anti-cheat” technologies. Most modern anti-cheat engines run in the Windows kernel, alongside applications such as antivirus, with the highest privilege levels.

Software can only run in the Windows kernel if it has been approved and signed by Microsoft. This makes it more powerful than software normally run by the user. An example of kernel-level software is the Crowdstrike system which recently failed, causing much of the Internet to go down.

Although anti-cheats are allowed in the kernel by Microsoft, the study also found that cheat software commonly uses weaknesses in Windows protections to “inject” itself into the kernel and gain elevated privileges. Many of the techniques mirror what is commonly seen in the malware and antivirus fields, with a difference in motivation.

Forum discussions and hands-on testing suggest that cheat developers typically circumvent weaknesses in Windows kernel protection measures by exploiting vulnerable third-party drivers, allowing cheat software to gain a foothold in the kernel.

This allows them to bypass protections put in place by anti-cheat software, allowing users to cheat in competitive online games such as Fortnite, Valorant and Apex Legends, all for a monthly subscription fee. This kernel injection technique has already been observed in advanced ransomware attacks to disable anti-malware protections before the main attack.

Researchers found cheats available for every game they examined, meaning no anti-cheat system is unbreakable. The team developed a series of tests used to evaluate the effectiveness of each anti-cheat solution, concluding that the games Valorant and Fornite have the strongest defense, with Counter-Strike 2 and Battlefield 1 having the worst. Comparing these results to market analysis, they find a strong correlation between the strength of an anti-cheat and the price of a cheat that breaks it.

Sam Collins, lead researcher on the project, said: “It’s fascinating to see such advanced attacks deployed in this context. This presents an intriguing counterpoint to more traditional, harmful malware, such as ransomware. »

Professor Tom Chothia, co-author, added: “Studying cheats and anti-cheats leads to a better understanding of protections in Windows. While no game has unbreakable anti-cheat, cheaters have to pay a lot more to cheat in games with stronger defenses. . Game anti-cheats work in the Windows kernel, the full availability of game cheats tells us that Windows kernel protections are not as good as many people thought.”

Dr. Marius Muench added: “It is surprising that there is a large-scale economics behind in-game cheating and defenses against it, which is largely ignored by the cybersecurity community, even though there is well-defined attacker and defender models. »

Gaming cheats are considered a type of Man-At-The-End (MATE) attack, in which the attacker has full control of a system. Unlike a traditional virus/antivirus situation, the end user is the attacker and will contribute to the success of the attack rather than trying to prevent it. This work represents an important example of MATE attacks being exchanged and deployed at scale.