I've been looking around my computer for last few days, trying to find out how good my security actually was. My computer was scanned against viruses (with NOD32), spyware (Ad-Aware 2007) and trojans (a-squared). I've visited
Shields UP! to see if my ports are configured properly and I'm invisible to various "sniffing" individuals. My computer passed all security tests there, so after dozen hours of work, checking, cleaning and veryfing I thought everything was fine.
Well, it wasn't.
Since I usually check Task Manager (from now on Winsight as well) I remembered two processes about which I wasn't too sure if they should have been running. I checked again and voila:
PnkBstrA.exe
PnkBstrB.exe
These names reminded me of Punkbuster software, which supposedly prevented players from cheating in many multi-player games. Like I wrote somewhere else on this forum, I used to play Call of Duty, so I just thought this piece of software was somehow left on my system, after CoD was uninstalled. "Ok, so how do I get rid of it?" I asked myself. checking first "Start menu", then Settings->Control Panel->Add or Remove Programs I found nothing. This was a point where common user's options end and in such cases they just leave strange things sitting on their hard drives, for they avoid tinkering too much in fear of doing something wrong. So, in fact I had on my computer a piece of software which was difficult to get rid of. I've decided to search the web. First I checked Punkbuster creator's page, where I found:
evenbalance.com FAQ said:
How do I uninstall PunkBuster?
If you do not wish to use PunkBuster any longer, you may remove the entire "pb" folder inside your game folder. By removing this folder, the PunkBuster software will no longer be available. PunkBuster does not save information to other locations of your hard drive, nor does it change your system registry.*NOTICE* Starting with PunkBuster client version 1.300, our new Service components are kept in the Windows folder of the hard drive and they do store information in the registry. We offer a separate program called PBSVC with an uninstall option for our service components, it may be downloaded from here.
Jeez, I didn't have ANY game folder anymore, so what these guys were proposing was
to install their software (which would then do god knows what) to
unistall their software which shouldn't have been left on my hard drive in the first place! Something was fishy about this whole mess, so I started to dig deeper on the web. What I have found was quite a discovery, for I learned that there is more to the Punkbuster than meets the eye...
First interesting snip was found at digg:
mazeleet said:
Punkbuster anti cheat uploading personal info
In the wake of the all the rootkit scandals, it seems that Sony was not the only company not walking the straight and narrow. A group of reverse engineers recently debugged Punkbuster and found out that PB is actually uploading personal data to their servers. They are also actively scanning your harddrive, and uploading any "suspicious" .txt files
Holy cow! At that moment I knew how "good" my security was, but that was not all. The site _digg.com was linking to was down, but I think I found original article at web.archive, which I'm posting snipped here:
bostondan said:
PunkBuster Anticheat a rootkit
While looking into PB’s “covert” activitys today, we noticed something particularly intresting.
Punkbuster is actually scanning outside of its working directory and looking for suspicious files. While this *might* be alright to the avid gamer, It is explicitly illegal regardless of how secure a EULA
* may be. You can reference the Vitalman V. CsGuard case from way back. In that case, It was determined that CSGuard- even though it had a EULA stating it scanned outside of its folder- was still a “Active security risk”. This is what forced the name change to “HL Guard”
Now, bending and breaking rules isnt neccesarily new to PB, but this next bit of data certainly takes the cake.
PB is actually uploading txt and dll files which are currently running in memory. What does this mean to you? If you happen to be playing a game with PB enabled (BF2, COD2, etc..) And you also have notepad or wordpad open, and text or information inside these files will be streamed to punkbuster for further investigation. The intresting part is that nowhere inside Punkbusters eula does it state that it has the authority to “phone home” with your files. Now there is no definitive answer of if they are actually investigating these files (or why they are even uploading .txt files- even a hack menu isnt really a risk) Regardless of wether or not someone is physically reading these files, its a enormous security breach that anyone who uses punkbuster should be aware of.
(snip)
Here is Punkbuster EULA, check out the bold parts. (snipped to the bold part and few additional lines)
Licensee acknowledges that PunkBuster software is optional and is not a requirement in any respect for using or enjoying games that integrate PunkBuster software technology. Licensee also acknowledges and agrees that PunkBuster software is self-updating, which means that future updates will, from time to time and without any notice, automatically be downloaded and installed as a normal and expected function of PunkBuster software. Licensee further acknowledges and accepts that PunkBuster software may be considered invasive. Licensee understands that PunkBuster software inspects and reports information about the computer on which it is installed to other connected computers and Licensee agrees to allow PunkBuster software to inspect and report such information about the computer on which Licensee installs PunkBuster software.
Licensee understands and agrees that the information that may be inspected and reported by PunkBuster software includes, but is not limited to, devices and any files residing on the hard-drive and in the memory of the computer on which PunkBuster software is installed. Further, Licensee consents to allow
PunkBuster software to transfer actual screenshots taken of Licensee’s computer during the operation of PunkBuster software for possible publication. Licensee understands that the purpose and goal of PunkBuster is to ensure a cheat-free environment for all participants in online games. Licensee agrees that the invasive nature of PunkBuster software is necessary to meet this purpose and goal. Licensee agrees that any harm or lack of privacy resulting from the installation and use of PunkBuster software is not as valuable to Licensee as the potential ability to play interactive online games with the benefits afforded by using PunkBuster software.
*End User License Agreement
source
Summing up, I had
spy software on my computer, which didn't ring the alarm in any scanner I used. Software which I probably agreed to install while playing Call of Duty, but which should have been erased along with the game. Software, which was starting along with Windows, doing who knows what. Software, which didn't reveal it's presence to common user (how many people keep track on what's going on in "processes" window) and which couldn't be uninstalled by usual means accesible to common user.
Let's see, what "authorities" say about it:
HOUSTON LAW REVIEW said:
PunkBuster is software that purports to help stop cheating in certain online, multiplayer games. According to its website, PunkBuster prevents cheating by scanning a player’s computer for known exploits, but the program’s End User License Agreement (EULA) states it can do much, much more:
(snipped)
Based on the above text,
PunkBuster may share financial records, family photos, online chat sessions, and any other information stored on the computer with anyone on the Internet. Instinctively, many consumers would label such a program as spyware, if for no other reason than the overly broad scope. However, the program’s creators argue that it is not spyware because “the activities performed by PunkBuster are generally described on our website and we have also developed and published a Privacy Policy Statement.”
Indeed, the United States Computer Emergency Readiness Team (US-CERT), a division of the
Department of Homeland Security, published an article that expressly excludes from its definition of spyware any program that provides the user notice of the software’s data collection activities through a clear privacy policy. Thus, as outrageously invasive as PunkBuster may be, organizations like US-CERT would not consider it spyware.
source
So, according to Departement of Homeland Security everything is fine and dandy. Why? Because they get regular reports and any data they ask from Punkbuster's operators - that's why. There is more to this story, even though it's already long. In fact, Punkbuster is only one of many "anti-cheat" programs installed on millions of computers around the world. Whether one is an avid gamer, plays only occasionally or has played in the recent past, there is much probability that somwhere inside his box sits a spying program, which transfers hell lot of data to places unknown. Does this conclusion seem too farfetched? See here:
Greg Hoglund said:
4.5 million copies of EULA-compliant spyware
I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does,
about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):
(snip)
I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.
(snip)
Next, warden opens every process running on your computer. (snip)
I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.
This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.
source
But the worst of all is that
while all those (entertainment!?) companies are spying on us legally, reverse engeneering those programs, investigating and reporting one's findings borders illegal activity!
Ed Foster said:
The Warden Sees All
(snip)
And what about Warden itself? Could it be considered a technological measure controlling access to a work that is therefore illegal to circumvent under the Digital Millennium Copyright Act? If so, Hoglund is skating a very thin line in discussing his findings at all.
If you think it wildly improbable that Blizzard would try to push such over-reaching legal claims in court, then you just aren't aware of the Blizzard v BnetD case. There, against defendants who were probably even less guilty of any real wrongdoing than Hoglund is, Blizzard took its EULA reverse engineering ban and DMCA anti-circumvention claims all the way to federal appeals court. And won.
What it won was the right to deprive all of its customers of all of their fair use rights with a few words in their EULAs. So when their terms give them virtually unlimited right to abuse your privacy, you'd better take it seriously. After all, it's obvious our courts will.
Blizzard unquestionably has the EULA-sanctioned right to snoop on its customers with Warden, but does Hoglund have the right to tell us what that program is doing? That's what he now realizes is in fact a very serious question. "It's really been an education these last few weeks," he says. "I had no idea these EULAs were being taken so seriously. It's just amazing to me that anti-reverse engineering language in a EULA or the DMCA could keep people like me from publishing information what the Warden does. Isn't it the right of consumers to know what their software is doing?"
You'd like to think so, because somebody needs to be spying on those who are spying on us. I'm sure Blizzard would prefer I call Warden something other than spyware, but how else are we to refer to software that sits there watching everything you're doing in order to report back to its masters who-knows-what? And I think that's particularly so for a spymaster that happens to be a multinational corporate giant that's proven its willingness to send armies of lawyers anywhere to argue that its customers have clicked away all of their rights. If no one has the right to spy on their spies, the only eyes that will see what's happening on our computers will be those of the Warden.
source
All this made me think again about my "security", my "privacy" and other personal rights, which nowadays can be only written in quotes. After all, if Window's "Search" function "calls home" reporting what one is looking for on his own hard drive, when user's own printer is spying on him, when one's entertainment software snoops around one's system then how much privacy we have left? Should we even care and spend hours tweaking our computer systems? Maybe we should, even if it only prevents some kid next door from stealing our information. If anything, we should definately share such information with other people - who knows, it might be a "wake-up" call for someone.
As for the Punkbuster itself - sneaky bastard wasn't sitting even in startup registry (HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run).
I've disabled the damned bug just like Microsoft bugs - through Control Panel->Administrative Tools->Services. Anyone interested can find out how to disable services safely by checking
Black Viper's site and free some system resources along the way using this
table.
