, SecurityFocus 2005-09-27
A digital virus spread by terrorists left bodies on the streets and cities quarantined by the government.
Fortunately, the epidemic was not real, but the aftermath of an inadvertent digital plague caused by a simple change to the massively multiplayer online roleplaying game, World of Warcraft.
The change? Giving a monster the ability to curse in-game avatars with a self-propagating, albeit temporary, disease. While the developers only intended the disease to affect the group of characters fighting the monster, the infectious malady quickly became a tool in the hands of malicious players known as griefers, who found ways to bring the digital virus into heavily inhabited areas of the world.
For a week, the efforts of malicious players left behind massive casualties, made cities nearly uninhabitable, and became a reminder of the uncontrollability of self-propagating code.
"There are three things you can do: infect people, die, and watch other people do the first two," said one person posting to the World of Warcraft community forum under the handle 'Modahan.' "There's no way to rush for a cure; there's no way to stop the plagued idiots from coming in, there's no quest, no change, no nothing."
While previous flaws in online multiplayer games have led to unintended consequences, this may be the first time that a disease has spread from character to character. While a developer-created digital virus killed off characters in the original Sims game, it only occurred if the player obtained a guinea pig and did not keep its virtual cage clean. Fan-created content for the sequel to that game, Sims 2, contained modifications that persisted and were inadvertently transferred from player to player creating string of virus-like effects.
The World of Warcraft's particular plague was caused by a curse known as 'Corrupted Blood' given to those in-game characters that battle a demon called Hakkar. The curse causes damage and can be passed onto other characters nearby. However, programmers at the game's developer, Blizzard Entertainment, failed to limit the area where the curse operates.
The complex epidemic that ensued after adding simple self-propagation to a feature of the game should come as no surprise, said Brian Martin, an independent security consultant who plays World of Warcraft.
"Giving it the ability to propagate at all beyond a limited environment definitely reminds us that self-propagating code is likely to bite us in the ass without careful consideration and planning," Martin said. "This also underscores the fact that adequate testing is a requirement for software, as this--and thousands of other bugs--would have easily been discovered and hopefully fixed had the testing been more thorough."
Last week, the game's developer Blizzard Entertainment rushed out a patch that limited the ability to infect others to only within the specific adventuring area known as a dungeon, a move which contained the disease to at most 20 characters. While the company would not comment on the epidemics, which happened on several of the game's servers, a spokesperson acknowledged the incidents and that the company had fixed the flaw.
The World of Warcraft has become the most popular online roleplaying game to date, with more than 4 million players worldwide, according to Blizzard.
The plagues started on September 13 after Blizzard updated the game to include, among other new content, a dungeon known as Zul'Gurub. In the heart of that dungeon sat Hakkar, an in-game demon, that cursed any characters who attacked it with Corrupted Blood, a damaging curse that spreads from player to player.
The disease would have not spread from the original dungeon but for the efforts of griefers. The online roleplaying game equivalent to terrorists, griefers would teleport their characters to inhabited areas or used their pets as plague carriers to spread the disease to the general population of a server, according to postings on various community sites.
Griefers have taken advantage of other loopholes in online games. In World of Warcraft and Everquest 2, for example, some malicious players have used time-delayed curses to turn their characters or pets into virtual bombs, teleporting to nearby inhabited areas just before the curse went off, affecting everyone in the area.
Reaction to the actual effects of the epidemic have been mixed. Some players have lauded the appearance of an epidemic as a cool in-game feature.
"Yes, there are a lot of upset people, but again, that's because this was unintentional and the effects go too far--some say," one player, using the handle 'Po,' said on the World of Warcraft forums. "However, there are a great number of folks who think this thing is spectacular."
Other players have taken exception to the fact that entire cities had become plague-ravaged and dangerous to all but very high-level characters. The player of a high-level mage complained that the game became unplayable until Blizzard fixed the problem last week.
"Basically I tried to enjoy the new game content but got griefed by my own faction," the player, who used the handle 'Starcinder,' said in a posting to the World of Warcraft forum. "Good plan Blizzard. This 'content' was visionary ... considering the maturity of the player base."
While short-lived, the incident should be a reminder that adding the ability to spread to simple features can bring complex consequences, said security consultant Martin.
"Not only does it present an in-game dynamic that was not expected by players or Blizzard developers, it reminds us that even in seemingly controlled online atmospheres unexpected consequences can occur," Martin said. "While not as serious as a classic computer virus, it reminds us that computer code can impact us and we're not always safe, regardless of what precautions we take."