Virtual worlds, either contemplative (metaverses > Second Life) or dedicated to games (MMORPG > World of Warcraft) are unique places of human interaction because of their structure or their popularity. Therefore, they represent a fertile ground for behavioural studies, as noticed by certain scientists. During a conference ("Games For Health"- Baltimore), an outstanding American epidemiologist, Nina H. Fefferman, showed all the interest that World of Warcraft (WoW) could represent in terms of viral behavior modeling. These simulations can not only be carried out without risk, but the number of users (10 million players on the WoW servers in January 2008) also allows the elaboration of more precise models than traditional experiments. These "sandboxes" notably allow gathering data that is essential for modeling through the observation of behaviors in the case of major epidemiological crisis scenarios.

A stroke of luck for them happened therefore in 2005 when an update of WoW caused the unfortunate dissemination of a virus, named "corrupted blood", which affected players' avatars and was transmitted by simple (virtual) contact and a too great proximity with the infected character. Symptoms were a sudden decrease in health points, and the lesser experienced avatars died instantly. Faced with the rise of the phenomenom (4 million infected players in September 2005) Blizzard -WoW's editor- introduced a quarantine zone. The folowing conduct interested scientists: people who don't respect quarantines, sale fake medicine, use a virus as a weapon against enemy factions, etc.
Ran D Balicer, another outstanding epidemiologist, compared the behaviors of the very real threat of SARS and bird flu contagions to this virtual pandemic. He observed many similarities between these different cases.

However, this enthusiasm is not shared by the entire scientific community. Professor Bill Scaffner, from Vanderbilt University Medical School, notes that the WoW population isn't as equally mixed as an equivalent group of humans. Most of the players have the same characteristics: a majority of young males, wealthy enough to buy themselves a computer and pay an online subscription. The data collected must therefore take into account these factors, which renders the modelisation less interesting than planned. It indeed reveals the reactions of a fringe minority of the population.

Malicious Intent

And what about our daily preoccupation?

The ever-growing MMORPG player community (by 2010, this market could be close to $5.5 billion Dollars), shared between a handful of successful licenses, is made up of game enthusiasts who are very involved in the development and improvement of their immaterial doubles. These multiple interconnections generated a very active virtual commodity market (RMT - Real Money Trade). Different artefacts are converted into cash via classic auction platforms (eBay, Worldgamebank). Cybercriminals therefore "naturally" transplanted themselves on this "market". They inondate the chatboxes with spams disseminated via characters (gold spammers) created for this occasion, and obviously code specific data-stealing Trojans.

CA Anti-Virus Research labs have classified over 45 different malware families that target MMORPGs.A report issued by the ESET Malware Intelligence maintains that July's 2008 most prevalent types of malware targeted online gamers. 12.7% of malware in the period was identified as being part of the Win32/PSW.OnLineGames family. A recent study written by Igor Muttik ("Securing Virtual Worlds Against Real Attacks") looked closely at different types of attacks targeting virtual worlds. It shows in particular that during the year 2007, trojans aimed at virtual universes arrived in second position behind those which impact financial institutions. The parallel doesn't stop there, since several phishing attacks affecting successful licenses have been observed these last years. Like the large financial institution managers, administrators of this lucrative market elaborate similar means of protection. Blizzard, for instance, introduced double factor authentication in July 2008 and has a service dedicated to the anti-fraud struggle.

The risks observed in the metaverse type universe are of a relatively different nature: we can also find there viruses, in a lesser volume exploitation of flaws, but here it exists a transversality between the real world and the virtual world. It is no longer a question of a scripted game but a reproduction of a fictive society more or less open with social network codes and concrete commercial rules (stock market, banks, and fluctuating currencies). Many key economic players thereby have official offices in Second Life. Threats are thus inherently different, often comparable to what we can observe in the "real world":

• staging of pedo-pornographic scenarios through avatars,
• extortion,
• sectarian proselytism,
• promotion of unsound political ideology,
• etc.

These virtual universes arouse desires and a lot of investors bet on these technologies. Sony is about to release its own world, Home, which will be interfaced with their PS3 gaming platform and Google has been developing its own universe, Lively. The security of these new spaces must therefore be considered rightaway.

Hard to conclude without facing the facts. From the popularity of one universe, the perspective of huge profits is born. Physical phenomenon: matter attracts matter, all matters. Impossible in these conditions to avoid a quota of crooks. Architects of these worlds have to anticipate the risks, secure their applications and find a good balance between virtual spaces open and free, and strict community rules and a healthy code. Even if i am way off the point, let’s finish with the wise words of William Gibson, Pope of the Geeks : “the future is already here. It's just not very evenly distributed.”

(Special thanks to Kristi)

Si nous avions été heureux des résultats de notre collègue Florent Marceau (toujours connu sous le doux sobriquet de "Barbu en Chef") l'année dernière au challenge d'ingénierie inverse T2, il s'est surpassé -ou à consacré plus de nuits - cette année, puisqu'il en est le vainqueur ! La seconde place est également attribuée à un autre français, qui a été choisi parmi les six autres vainqueurs pour l'élégance de sa solution.

Pour rappel ce concours, outre son aspect ludique et formateur, permet de gagner une place pour la conférence T2'08 - Information Security Conference qui aura lieu le 16-17 octobre prochain à Helsinki en Finlande. Ce rendez-vous annuel permet de discuter des dernières recherches en sécurité informatique, avec une orientation technique assumée des présentations, qui sont d'ailleurs systématiquement accompagnées de démonstrations.

Il ne nous reste plus qu'à souhaiter un bon voyage à Florent à Helsinki !