nProtect GameGuard Rootkit Threat

[ali3nx]

1) Who am I and why should I pay attention to some whining scrub?

I'm a retired developer and network infrastructure engineer for the Gentoo Linux Project who has served alongside open computing communities for ten years . My professional career has been focused on network systems engineering for over 15 years.

My History of contributions at Gentoo Linux forums can be reviewed here

2) wtf am i complaining about - getting to the point

I recently wanted to test the Aion open beta game client until I discovered the game installed a monitoring rootkit called gameguard that does not appear to be detected by any anti malware or anti virus programs I currently use. I've been using Symantec's corporate antivirus offerings and Spybot SD over the past years and wanted to inquire about why nProtect GameGuard has been allowed to fall under the radar. At least on my x64 windows 7 RTM install nProtect GameGuard was not detected at all nor could I remove gameguard without manually butchering the registry and deleting files.

Generally speaking about malware and or spyware nProtect GameGuard certainly fits the profile for a software that:

1) installs unauthorized services for the primary purpose of monitoring your computer habits

2) cannot be easily removed by uninstalling the game. Aion open beta client for this example that installed nProtect GameGuard

3) does not allow any modifications for removal utilizing add or remove programs control panel menu due to add/ remove programs entries not being created

4) NCSoft LLC. plans to force unsuspecting users to install nProtect GameGuard with the public release of the highly anticipated mmo game Aion.

5) nProtect GameGuard code and services are not open source and no verification of safe functionality has been made by any malware oversight authorities

6) Forcing installation of malware applications alongside any commercial software has been for a number of years completely illegal. The Sony XCP Rootkit is a primary example

7) Gameguard blocks use of valid hardware and software in use on your pc if the game it's designed to protect is loaded or not loaded

8) Gameguard has several verified secunia vulnerability advisories indicating the poor programming pratices of INCA Internet

9) All current known methods used to remove gameguard for x64 windows installations do not work. Gameguard updates regularily attempt to circumvent anti-malware utilities

10) Wikipedia both validates and addresses more of the concerns with nProtect being classified as malware. As well any attempts to remove the gameguard folders or system files will force gameguard to reinstall the files the user has manually deleted both without prompting the user in any way whatsoever or without any user intervention. Completely unattended reinstallation from a rootkit "image" file. It's certainly very invasive and difficult to remove. Noted i'm very experienced however my time invested to manualy remove all the gameguard files and registry entries consumed many hours of detailed labor with regedit. I'm certain that wikipedia's remarks are being extremely generous with gameguard's reputation despite how invasive the application is and how much of a nuisance gameguard is to remove.

http://en.wikipedia.org/wiki/NProtect_GameGuard

GameGuard hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and INCA Internet to be cheats (QIP for example), blocks certain calls to DirectX functions and Windows APIs, and auto-updates itself to change as new threats surface. nProtect GameGuard is launched via GameMon.des with a driver dump_wmimmc.sys.

Problems

There are issues with GameGuard regarding problems with other programs. Many of the problems have been solved or are in the process of being resolved.[1] Currently, however, there still is an old unpatched privilege escalation bug present[2][3].

Because of its method of actuation (very similar to a rootkit[4]), it is criticized for being extremely invasive, often without knowledge of the end user. The software installs a device driver which is difficult to uninstall; even uninstalling the game will still leave some files hidden on the system[5], but it stays inactive without the game. Most anti-virus vendors currently exclude nProtect GameGuard from their detection databases due to it being commercial software, however this was initially not the case, leading to system crashes as both the Antivirus and GameGuard attempted to override each other. When installing a game that utilizes GameGuard, this program may be installed onto the client machine without the user's authorization or permission.

nProtect GameGuard constantly updates itself and provides new protection against the latest threats.

On some games such as MapleStory, the game itself does a hash check of the GameGuard revision currently running and will exit if it does not match the hash on the server side.[citation needed] This is a security measure from nProtect GameGuard to ensure that GameGuard has not been hacked and nProtect GameGuard should update to the latest version under normal circumstances. But it can be easily compromised with packet software, such as Russian PacketHack which is designed for packet interception and hacking on net-driver level.

Because of the way that GameGuard hooks into core system DLLs and interrupts[6], it is impossible (without hacking GameGuard and violating the TOS) to run games protected by GameGuard under Windows API Emulators, such as Wine under Unix-based operating systems[7]. The key issue being that GameGuard bypasses the OS safeguards in order to:

* Hide the game application process.

* Monitor the entire memory range.

* Terminate specific applications without the user consent (sometimes tries to disable Kernel hooks).

* Block specific calls to DirectX or the Windows API.

The comment that gameguard stays inactive without any games being active is very untrue. The system service gameguard installs was started and functioning without the aion game client or ncsoft's launcher running at all.

[exile360]

Yuk, thanks for the info. I despise this sort of overboard DRM in games and such. I had an issue where one such technique on a game I paid for caused a BSOD on my system if I had my external DVD-Rom connected when I launched the game. Very aggrivating and over-aggressive. Do they at least provide a gameguard removal tool the way most other such DRM companies do?

[ali3nx]

Yuk, thanks for the info. I despise this sort of overboard DRM in games and such. I had an issue where one such technique on a game I paid for caused a BSOD on my system if I had my external DVD-Rom connected when I launched the game. Very aggrivating and over-aggressive. Do they at least provide a gameguard removal tool the way most other such DRM companies do?

No removal tools are provided by INCA Internet that i'm aware of. The Authors of Gameguard are based in Korea. Judging by the severe lack of vendor provided avenues to remove gameguard INCA must have less obligation to develop software that conforms to anti-malware laws. All removal tools I could find available have been provided by the enthusiast community and often out of date or did not function as well as modern anti malware utilities. The only remaining solution to removing gameguard is regedit, manual file deletion and hoping you found all the registry entries.

[exile360]

Yes, rootkits can be a real pain, especially on x64 since most tools won't work there (I'm glad my AV does, and it's very aggressive against rootkits of any type, legitimate or not ). Securom is what messed with my system. If they don't provide a removal tool you can bet someone in the community will and eventually they'll be forced to, the same way Securom and Sony were. In the states this sort of thing isn't tolerated, and if the game is distributed in the US, they'll have to provide a method of cleanly removing it .