Dances with Bots

For the last week and a half, I’ve been housebound out of an abundance of caution after a family member presented with symptoms consistent with COVID-19. So far so good health-wise, but on the bad side, I’ve gotten back in to World of Warcraft.

I had a series of strange things happen this evening that I think might be worth sharing:

The Message

Around 9:45 PM, players on the North American (NA) server Kromcrush started experiencing various sorts of connection problems: players couldn’t take any zepplins to transport themselves between continents, flight paths (a sort of aerial taxi service) were suddenly disappearing and stranding players in strange lands outside the bounds of normal play, and players adventuring inside dungeons found themselves trapped, unable to exit.

The problem peaked around 10:15 PM, with only players on the west coast of the USA able to remain connected to the server. Shortly thereafter, whatever error had caused the problem was resolved, and players from far and wide began to log back on.

In the in-game chat channel “LookingForGroup”, players from the Horde were discussing the night’s events when this was posted:

The original, mysterious post.
Potentially sensitive information has been redacted.

This screenshot doesn’t capture all the responses to the message, but it was clear that a few players immediately recognized its’ significance: these were login credentials of some kind.

Before we go too much further, I need to explain a few things about what you’re seeing.

Players are able to talk to each other in chat channels. These channels are normally restricted to small geographic areas (“zones”), but there are a few “global” channels where players can talk to other players no matter where they are in the world. The most popular such channel is “LookingForGroup” (or simply “LFG”). LFG is intended to enable players to find others on the same quests as them and team up, but because of its’ global nature, it has evolved into a general hangout.

Chat channels are each assigned a number and can be posted to by prefixing that number to a post. For instance, in the screenshot above, LookingForGroup is channel number 6, so in order to say something in that channel you would need to type “/6 Hello World”.

There’s a long-standing bug with how these numbers are assigned. Sometimes, the order of chat channels will be jumbled when logging in, like channels 5 and 6 trading places, for instance. If someone were to have a macro (a series of commands executed automatically with a single button press) or script that posted something to a chat channel, this bug would cause it to post that message to the wrong channel.

A different font used is used when a non-latin character set is used to send a message. Chinese characters fit the bill, and on a NA server, are an almost perfectly reliable indicator of either a bot (a player being controlled solely by software, with no human intervention) or a compromised account. Anyone who has played WoW for a while can recognize that font at a glance and its’ usage raises suspicion.

Based on all this, my first idea of what happened is that someone had a script running that was using “/6” (or their personal equivalent – chat channel numbers are not uniform for all users) to send information either to or from a listening party that was acting as a bot controller. The user who posted the message may have been a bot or someone controlling a bot (or many bots). The part that didn’t make sense was why a bot would even be in any channel other than a private one used to communicate with the bot controller – especially a global channel like LookingForGroup.

The Investigation

The easiest place to start figuring things out was the IP, a quick ping of which revealed that it was online and responsive. WHOIS showed that the /23 block that the IP is part of is registered to a “Vultr Holdings, LLC” and based in UK/NI. Vultur Holdings operates, which hosts VPSs – Virtual Private Servers, which are temporary sort of computers hosted “in the cloud”, not by the person using them. Something’s definitely up.

On a hunch, I opened opened a Remote Desktop session, entered the IP address, hit [Enter], and was instantly rewarded with a login prompt.

Not wanting to head to far into need-a-lawyer territory, I closed the windows and decided to gather a bit more info from some other source.

Let’s go back to the original message again:

Using Google Translate on the message (and manually setting the source language to Chinese, since an English to English translation didn’t give me a lot of useful information) revealed some juicy tidbits. The Chinese strings are, in order:

  • 邮箱密码 (email password)
  • 游戏密码 (game password)
  • 密码答案 (password answer)
  • 注册IP (registered IP)

Oh. Oh.

So these aren’t just login creds for a VPS, this could be a compromised account. This is could be Very Bad.

I had a second look at the email address: for the first six characters or so, it just seemed like an Irish surname. My brain must have stopped processing after those first few letters because the last ten-ish are just a jumble of letters, and this clearly wasn’t a name at all. I Googled it, thinking that if it was a compromised account, the email would have been used somewhere else before, but no results came up. No leads.

Okay, what about the passwords?

I ran both passwords through haveibeenpwned and both came back green: neither the email password nor the account password had been seen in a breach before.

The email password, much like the email address, looked to be randomly generated. It’s 12 characters long and Keepass scores it as 68 bits of entropy – not great, but not likely to be bruteforced before a rate-limiter kicks in.

The account password, on the other hand, was a six-character string that looked like it could have been some combination of English words, or a first initial, last name combination, which gives some weight to the idea that the account may have been compromised. After that string was a four-digit number. This password scored a measly 36 bits of entropy according to Keepass. This seemed like a much more easy-to-remember password than the email.

The Sender

Without attempting to log in to the VPS, I didn’t have a lot more to go on aside from the name of the person who posted the original message. I don’t want to post any kind of PII that could lead to a potentially innocent name getting dragged through the mud, so we’re just going to call this character M for now.

I did a /who on M and saw that they were a 60 Mage in Desolace. Just to see what would happen, I sent M a party invite.

M accepted.

I didn’t expect this at all, so I just waited a little while in partially stunned silence. In party chat, M said simply, “10g”. I responded with “?”, and M sent back a message in both LookingForGroup (/6) and party chat (/p):

The fact that both messages were identical and were sent so rapidly leads me to believe that they were set as macros, with one posting to /6 and one posting to /p, and that M simply hit the wrong button the first time.

After a pause, M left the group.

Boosting (just as a quick aside) is what used to be called “powerlevelling” (using high-level players to help a low-level player advance), but provided as a service. Whereas guildmates or friends used to be the ones to powerlevel you, you can now buy that service from any number of people on each server, constantly advertising themselves on LFG and outside instances.

Boosting isn’t quite the type of activity that can be automated (yet), so I’m reasonably confident that there’s a human behind M’s keyboard.

I got my gear ready and prepared to sneakily track down M, but just as I set off on my way, they logged out. I added M to my friends list (an action invisible to M) so that I can see when they log on and off, and to get a feel for where they travel. Hopefully they’ll surface again.

The Guild

With M offline, the last bit of info I had to go on was M’s guild. That may come as a surprise to anyone thinking that M is a bot: if you see a bot, it’s more or less certain to be guildless, and having a bot in a guild is practically unheard-of.

For the same reasons that I’m not going to identify M, we’re going to call the guild <B>.

<B> appears to be a somewhat “legit” guild: they have members posting somewhat regularly on the Blizzard servers, shows them raiding on a weekly basis, and they have an entry on Kromcrush’s unofficial Guild List on Google Docs. They have some degree of presence within the server’s community, and others acknowledge them as peers (though not always positively, I noticed).

They don’t have a web presence, but the popularity of Discord makes that not as big of a red flag as it once would have been.

Oddly enough, their name does come up in conjunction with a number of defaced websites. These are the usual victims; small doctors offices, old and misconfigured blogs, and test WordPress sites with weak credentials. <B> appears in the Google results, but the sites I found have been reverted to their non-defaced selves, and no cached pages are available. This is probably meaningless, but I thought I should mention it anyway.

From what I’ve seen, the guild’s player distribution skews towards the level 60 end of the scale (the highest experience level currently attainable in the game). At 2300 PST, there were some lowbies in the 20s, 30s, and 40s on – at 0045 PST the next day (0345 server time), there were only 60s, and half were mages – a class known for botting and farming.

I compared this to several other guilds at the same points in time and saw that other guilds who had players online tended to have a good mix of both classes and levels.

M came back online at almost 0400 Server time and was on when I went to bed. They were still in Desolace, inside Maraudon, a dungeon known for boosting. I didn’t attempt to contact them.

So what do we know?

  • A set of credentials was dumped (ostensibly accidentally) after a partial server crash, containing:
    • A randomly generated email address
    • A randomly generated email password
    • A human-rememberable account password
    • An IP for a VPS with RDP open to the internet
  • The fact that these credentials were posted at all suggests some form of automation on the part of the sender and a lack of human oversight
  • The credentials were dumped by a character that is running boosts
  • That character belongs to a “legit” guild
  • Most characters in this guild appear to be either farming or boosting late into the night/early morning

Nothing about the randomly generated password is suspicious. The gibberish email address is a little strange, but for a multiboxer (one human controlling several players on several accounts via software that distributes their mouse and keyboard inputs – effectively cloning themselves) it makes sense that they would use different email addresses for each account.

I can’t think of any good reason for someone to be exchanging login credentials in plaintext with Chinese headers. Aside from the fact that plaintext passwords are always bad form, Chinese players are barred (officially) from the rest of the world’s servers, just as rest-of-world players are not supposed to be able to access Chinese domestic servers. There are, in fact, some pretty interesting cosmetic differences in the game clients themselves, as detailed here by Reddit user Vahdis (bread warning).

As James Earl Jones in The Hunt for Red October said, “the data support no conclusions as yet”, but I do have a guess:

I’ve been intentionally using a collective “they” to refer to M because I think that M is a shared account. I don’t know if there is any one “legit” player behind M, who uses the account most often, or if M is just multiple folks logging on and off in shifts, constantly boosting lowbies through instances to create a revenue stream for either <B> or a “legit” human behind M.

I’m not sure if the email/password combination is for just the WoW account, or if it would work as a RDP login for the VPS. If the latter is true, the VM that WoW is running on could have been set up automatically, via Kubernetes or something of that sort.

Further investigation is needed to see if any of the Mage members of <B> who are out in the world are exhibiting any bot-like behavior.

I’ve also identified a second guild, <BS> with multiple users exhibiting this same kind of sketchy behavior.