If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 62, Pages 1 - 11
Abstract
Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.
References
[1]
Lynn Erla Beegle. 2007. Rootkits and Their Effects on Information Security. Information Systems Security 16, 3 (2007), 164–176. https://doi.org/10.1080/10658980701402049
[2]
Bill Blunden. 2013. Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Jones & Bartlett Learning, Burlington, MA. https://www.jblearning.com/catalog/productdetails/9781449626365
[3]
"bright", "IDontCode", "irql0". 2021. EasyAntiCheat Exploit to Inject Unsigned Code into Protected Processes. Online. https://blog.back.engineering/10/08/2021/
[4]
"Broihon". 2018. Manual Mapping DLL Injection Tutorial - How To Manual Map. Online. https://guidedhacking.com/threads/manual-mapping-dll-injection-tutorial-how-to-manual-map.10009/
[5]
"Daax". 2020. Anticheat Faceit Bypass. Online. https://guidedhacking.com/threads/anticheat-faceit-bypass.16113/post-89663?referralcode=ON6pj
[6]
"Daax", "iPower", "ajkhoury", "drew". 2020. How Anti-Cheats Detect System Emulation. Online. https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html
[7]
Sebastian Eresheim, Robert Luh, and Sebastian Schrittwieser. 2017. The Evolution of Process Hiding Techniques in Malware – Current Threats and Possible Countermeasures. Journal of Information Processing 25 (2017), 866–874. https://doi.org/10.2197/ipsjjip.25.866
[8]
Hagen Fritsch. 2008. Analysis and Detection of Virtualization-Vased Rootkits. Bachelor’s thesis. Technical University of Munich. https://www.nm.ifi.lmu.de/pub/Fopras/frit08/PDF-Version/frit08.pdf
[9]
"h4x0!2". 2023. Data Vanguard Is Grabbing to HWID Ban. Online. https://www.unknowncheats.me/forum/valorant/567650-data-vanguard-grabbing-hwid-ban.html
[10]
Intel. 2023. Intel® 64 and IA-32 Architectures Software Developer’s Manuals. Intel. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
[11]
"iPower". 2020. CVEAC-2020: Bypassing EasyAntiCheat Integrity Checks. Online. https://secret.club/2020/04/08/eac_integrity_check_bypass.html
[12]
Xuxian Jiang. 2006. Enabling Internet Worms and Malware Investigation and Defense Using Virtualization. PhD thesis. Purdue University. https://docs.lib.purdue.edu/dissertations/AAI3251634/
[13]
Jestin Joy, Anita John, and James Joy. 2011. Rootkit Detection Mechanism: A Survey. In Proceedings of the First International Conference on Parallel Distributed Computing Technologies and Applications (Tirunelveli) (PDCTA 2011/Communications in Computer and Information Science, vol. 203). Springer, Berlin/Heidelberg, 366–374. https://doi.org/10.1007/978-3-642-24037-9_36
[14]
Samuli Lehtonen. 2020. Comparative Study of Anti-Cheat Methods in Video Games. Master’s thesis. University of Helsinki. https://helda.helsinki.fi/items/b1141406-eb65-48a5-8922-d1b23d4cfe51
[15]
Xiang Li, Yan Wen, Minhuan Huang, and Qiang Liu. 2011. An Overview of Bootkit Attacking Approaches. In Proceedings of the 2011 Seventh International Conference on Mobile Ad-Hoc and Sensor Networks (Beijing) (MSN 2011). IEEE, New York, NY, 428–431. https://doi.org/10.1109/MSN.2011.19
[16]
Leian Liu, Zuanxing Yin, Yuli Shen, and Haitao Lin. 2012. Research and Design of Rootkit Detection Method. Physics Procedia 33 (2012), 852–857. https://doi.org/10.1016/j.phpro.2012.05.145
[17]
Anton Maario, Vinod Shukla, A. Ambikapathy, and Purushottam Sharma. 2011. Redefining the Risks of Kernel-Level Anti-Cheat in Online Gaming. In Proceedings of the 2021 8th International Conference on Signal Processing and Integrated Networks (Noida) (SPIN 2021). IEEE, New York, NY, 676–680. https://doi.org/10.1109/SPIN52536.2021.9566108
[18]
Maxine Major. 2015. A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection. Master’s thesis. University of Idaho. https://objects.lib.uidaho.edu/etd/pdf/Major_idaho_0089N_10700.pdf
[19]
Alex Matrosov, Eugene Rodionov, and Sergey Bratus. 2019. Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. No Starch Press, San Francisco, CA. https://nostarch.com/rootkits
[20]
Egidius Mysliwietz. 2020. Identifying Rootkit Stealth Strategies. Bachelor’s thesis. Radboud University. https://www.cs.ru.nl/bachelors-theses/2020/Egidius_Mysliwietz___1000796___Identifying_rootkit_stealth_strategies.pdf
[21]
Kyle Orland. 2020-04-14. Ring 0 of Fire: Does Riot Games’ New Anti-Cheat Measure Go Too Far?Ars Technica (2020-04-14). https://arstechnica.com/gaming/2020/04/ring-0-of-fire-does-riot-games-new-anti-cheat-measure-go-too-far/
[22]
"Rake". 2015. Anticheat Battleye Bypass Overview. Online. https://guidedhacking.com/threads/anticheat-battleye-bypass-overview.11602/
[23]
"Rake". 2018. Anticheat Faceit Bypass. Online. https://guidedhacking.com/threads/anticheat-faceit-bypass.16113/
[24]
"Rake". 2020. How to Bypass EAC - Easy Anti Cheat. Online. https://guidedhacking.com/threads/how-to-bypass-eac-easy-anti-cheat.15956/
[25]
Caroline Andrea Rendenbach. 2022. Anti-Cheating Measures in Video Games. Bachelor’s thesis. Technical University of Munich. https://collab.dvb.bayern/download/attachments/77832800/main.pdf
[26]
Riot Games. 2018. Riot’s Approach to Anti-Cheat. Online. https://technology.riotgames.com/news/riots-approach-anti-cheat
[27]
Rolf Rolles. 2009. Unpacking Virtualization Obfuscators. In Proceedings of the 3rd USENIX Workshop on Offensive Technologies (Montreal) (WOOT ’09). USENIX Association, Berkeley, CA, 261–266. https://www.usenix.org/legacy/events/woot09/tech/full_papers/rolles.pdf
[28]
"SaltyPaster". 2021. How to Bypass EAC - Easy Anti Cheat. Online. https://guidedhacking.com/threads/how-to-bypass-eac-easy-anti-cheat.15956/post-105040?referralcode=ON6pj
[29]
José Nuno Silva. 2022. Towards Automated Server-side Video Game Cheat Detection. Master’s thesis. University of Porto. https://repositorio-aberto.up.pt/bitstream/10216/142935/2/572983.pdf
[30]
"Sinclairq". 2022. A Bank Vault’s Self-Integrity Circumvented by an Underway Passage: How EasyAntiCheat’s Driver Self-Integrity Can Be Compromised Through Call Hierarchy. Online. https://secret.club/2020/04/08/eac_integrity_check_bypass.html
[31]
UEFI Forum, Inc.2019. Unified Extensible Firmware Interface (UEFI) Specification. Unified Extensible Firmware Interface (UEFI) Forum. https://uefi.org/specifications
[32]
Nikos Virvilis and Dimitris Gritzalis. 2013. The Big Four – What We Did Wrong in Advanced Persistent Threat Detection?. In Proceedings of the 2013 International Conference on Availability, Reliability and Security (Regensburg) (ARES 2013). IEEE, New York, NY, 248–254. https://doi.org/10.1109/ARES.2013.32
[33]
"vmcall". 2019. BattlEye Anti-Cheat: Analysis and Mitigation. Online. https://secret.club/2019/02/10/battleye-anticheat.html
[34]
"vmcall". 2020. BattlEye Hypervisor Detection. Online. https://secret.club/2020/01/12/battleye-hypervisor-detection.html
[35]
"whatacoolwitch". 2021. Uninstalling and Disabling Riot Vanguard. Online. https://support-valorant.riotgames.com/hc/en-us/articles/360044648213-Uninstalling-and-Disabling-Riot-Vanguard
[36]
"whatacoolwitch". 2022. What Is Vanguard?Online. https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard-
[37]
"Xyrem". 2023. In-Depth Analysis on Valorant’s Guarded Regions. Online. https://reversing.info/posts/guardedregions/
[38]
"yousif". 2020. Bypassing BattlEye from User-Mode. Online. https://secret.club/2020/02/26/be_umode.html
Index Terms
- If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems
Recommendations
Back to Static Analysis for Kernel-Level Rootkit Detection
Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, especially in the case of kernel-level rootkits. There have been many dynamic analysis techniques proposed ...
Multi-aspect profiling of kernel rootkit behavior
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systemsKernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 1,279Total Downloads
- Downloads (Last 12 months)1,279
- Downloads (Last 6 weeks)625
Reflects downloads up to 14 Jan 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in