[Informational] IS/Glider

[undrgrnd59]

Introduction

Recently I've seen a few posts that annoy me because people are talking about IS in a way that shows they don't know what their talking about it, so instead of channeling my annoyance into the posts (which won't help), I'm going to make a little informational post to hopefully help anyone who is new to IS or has never really figured out how it all works. On a side note I made a post with a lot of the information posted here but I think it was deleted since I can't find it now ;P

First things first, Inner Space is not a bot. A lot of people know this but I'm just clearing it up right off the bat. People talk of IS like it is the same thing as Glider is. Inner Space is simply a platform for developers to write their bots for. You can easily see this when you go to purchase it because as you see here it mentions nothing of a bot. People don't get banned for using Inner Space, because IS alone (no extensions) is about as harmful to WoW as FRAPS is. EDIT: While IS really is about that harmless, Blizzard apparently does ban for just it (as posters have corrected me), so be careful.

Now at one point and time (I don't know exactly when or who) someone decided to make an IS extension for World of Warcraft. This extension allows programmers to have access to WoW's memory (to get information about where the character/mobs are located, cast spells, basically all interaction with WoW). ISXWoW reads and writes to WoW's memory, that's all, it isn't a bot either.

Of course Blizzard doesn't like people messing around in WoW's memory, so they started to scan for ISXWoW. This is how ISXWarden was born. It is also an extension for Innerspace, one that is designed to keep Blizzard's Warden happy. For a history lesson in ISXWarden, you have to start back with a really old version of ISXWoW (pre BC). Originally maytricksmath wrote the Warden protection right into ISXWoW. The story goes that one day Lax got his own WoW account banned and then he made the ISXWarden extension that we all know and love. I'll also take this chance to point out he has a blog, OnWarden, that has some very interesting posts about Wardens workings (for those who wish to learn even more).

Bannings

Anyone who has been botting for a while knows that when you bot, you should expect that account to get banned. It's all a matter of chance when you bot... the longer you bot for the higher your chances of getting hit with the ban stick are. It will happen, if you care about the account, DONT BOT IT. I, like many others, learned this the hard way. The only bots that are unlikely to be banned are the private ones. If Blizzard doesn't get ahold of them, it won't know what to scan for, and thus it is more likely to go undetected (think of it as if Warden were scanning for a virus, if it doesn't know what the virus looks like then it won't assume its dangerous). Of course to the majority of people out there, this information won't help you much because you won't be writing your own bots anytime soon lol.

Okay, time to talk about banning related to Inner Space and Glider. Glider had basically been trying to stay undetected by hiding itself in a rootkit, only reading memory, and sending keypress's to make itself seem like a real person. The problem is that Warden is a bit more complicated than that (at a minimum I know it can scan for rootkits) and was banning Glider users left and right. One banwave hit Glider particularly hard and Merc went to Lax for the protection that ISXWarden gave Inner Space users. Probably nobody except for Lax/Merc knows the arrangement between them, but Lax has some form of ISXWarden working to protect Glider now too (Note: "some form", they are not the same but most likely offer very similar protection).

As far as I see it, this was beneficial to Blizzard. It took two different major botting organizations and merged them under one roof. So now, whenever Blizzard comes out with a new way to beat ISXWarden, generally IS and Glider users will be hit with a ban wave at the same time.

Dealing with this whole issue there is another point I'd like to make. Some people here use bots like zolofighter, which they think is safe because it isn't being banned for at the moment. It is only as safe as the number of people who use it. Because 90% of the botters out there are most likely using IS/Glider to do their botting, Blizzard will obviously be working to ban them and not the assortment of little bots you may find on this site. At some point and time, especially if people get fed up with IS/Glider and switch over, Blizzard will just turn their eye over to whatever new bot is out there. Most likely it's defenses are not as good as Glider/IS and Blizzard won't have any trouble detecting it (especially after beefing up their Warden to detect the more advanced bots). Despite this though, for temporary safety, your best bet is to go with the newest and most unused bot out there.

Added July 30:
Okay, heres another thing that I've thought to talk about. Why during ban waves there's always those few people who don't get banned. Well Blizzard is being very tricky at this point. Say out of 500 people banned they choose a lucky 5 or 10 and don't ban them. Well then when those people go back and make their ban reports, the forums look like this: "lost 2x 70s, gg wow", "finally hit me 5 chars gone", "I didn't get banned because I renamed IS.exe to AIM.exe!"
This helps add to the hell and confusion that ban wave days are. This is why if you ever do get banned, you need to fill out a report with the templates that each site provides. This will greatly help administrators filter out what the need from the reports.

Here's another thing which was brought up in the replies. Player reports. Ban waves are not caused by player reports, whenever a large mass of people are banned it is software detection. That simple. Now, to tie this in with the above paragraph, Blizzard probably does toss in a few player reported botters in ban waves, to add to the confusion.

Other

Scan.dll is not a serious threat to anyone. For some reason people believe they can stop the multimillion dollar company Blizzard by simply moving this to the trash, or putting some administrator rights on it. Last I heard this only had to do with scanning MPQ files for changes (which I think Blizzard has turned off right now, correct me if I'm wrong). Seriously, if you see people scheming to avoid detection via scan.dll, you laugh at them.

Conclusion

There was actually more I wanted to cover... I think.. But the problem is that after nearly an hour of writing and editing this that my brain is a little zonked :P Please post opinions, corrections, flames, questions, ect. I plan on adding/editing this over the next couple days, so give me some material to cover

After reading some of the replies that talk about how we have no idea what Warden does, I highly suggest people read Lax's OnWarden blog.

[Rockerfooi]

Nice post Seems really logical to me, Thnx for the information +Rep

[iradiation]

they didnt move glider and IS under 1 roof IS and glider have the same security frmo what ive heard glider just uses IS's security setup against warden so they get banwaves at the same time. but good post. +rep

[benny32]

These kinds of posts always bring out the crazies who want to fanboy up their particular platform. I believe there are no certainties other than if you bot you will get banned eventually. IS and it's attendant bots offer some more flexibility at the "sacrifice" of options/complexity while glider is stupid simple to setup and run. The mind set between the two communities is probably the biggest difference.

The detection stuff is complete guesswork at this point as we are completely uncertain on how they do it. We assume that during huge ban waves there is some kind of software detection going on but for others it's a heuristic that takes into many factors I would guess so just because Zolofighter isn't "detectable" doesn't mean you won't get banned if you run it 24/7. They see a account that plays for X amount of hours and they start looking at it to see if it fits other bot like characteristics.

I'm not a hard core dev like some around here and don't claim to be an expert on the workings of Warden, these are my opions based on two and half years of botting. Take it for what it's worth.

Edit:Before I get blasted about the detection stuff, I'm not saying ISXWarden guesses on how it implements protection or how Warden works, I'm talking more about bannings and why they occur, ie. reports, play time, suspicious movement, server request floods, etc. Those are always brought out when people start guessing how they got caught.

[Yeti]

Maybe you shouldn't start threads that you barely know much about, eh?

[wowpanda]

quote: "some people use zoloFighter .... It is only as safe as the number of people who use it"

Not necessarily true. zolo uses the standard windows security to protect itself (and there are some other small stuff I need to take care of). The beauty of that is, just as on windows XP/Vista or linux, where a low privilege user can't do certain things, Warden is restricted in the same way, and the protection is generic, meaning it is not affected by warden update.

The result is a simple design, no drivers/injections etc (try scan other bots on virus total, zolofighter is the only one that is clean).

If Glider/Mimic want to do the same, it can be as safe (judging from the forum, zolo users should be more than mimic as well). IS on the other hand, will have to rely on the talent of the creator.

[Obama]

This post looks smarter than it actually is.

[valiliv]

nice post, but for someone flaming those "who don't know what they are talking about" you need to chill out a bit on stuff you don't seem to understand.

It's all a matter of chance when you bot... the longer you bot for the higher your chances of getting hit with the ban stick are.

not that simple. IS avoided all bans for like 10 months straight, then one fine Tue in may when servers came up from maintenance everyone using it in the previous week was banned. The person running a bot farm 24/7 and the person who logged in with IS once for 4 min to check out the radar - banned exactly the same. So it's not like some permanent low chance of detection that goes to 100% if you bot long enough - it's just if and when Blizz decided to do it, period. May 20 they did it without warden, and even today they seem to be able to detect via hotpatches to client.

As for Zolo: well even you admit you don't understand its security, so please dont put BS in your guide. It's NOT just that it's under the radar. It also doesnt make sense to equate all bots to IS/Glider saying "Any bot can get you banned". yah sure, but it's only Glider that's sitting in the courtroom, and it's only IS that gets your 70 permabanned after a one-time 5 min use. Yet go into any AV anywhere 24/7, and in 60 sec you see 1-10 Pirox/macro/Flo/random Autoit bots running around, AND NONE ARE DETECTED. not a one, ever. the worst they get is suspensions from reports. and i will bet you anything that more 10,000s of people botted more millions of hours on Pirox-like bots than GLider+ IS will the rest of this century.

[Knafle]

Very detailed, thanks!

[Apoc]

To all of you idiots saying UG doesn't know what he's talking about. Take a step back, and re-read his post. 90% of it is spot on. (And wowpanda, Zolofighter can easily be detected if Blizzard decides to scan for it. Windows priv's or not. You're taking Warden completely for granted.)

And to clear up some mistakes in UG's post. ISXWarden itself was created by Lax, however, the start of the Warden protection was from maytricksmath in the original open source version of ISXWoW. (Pre BC versions)

benny32, server side detection is obviously 100% guesswork. (Unless you're a dev for Blizzard, or a GM) However, based on quite a bit of data, alot of conclusions have been found. (Just search around some of the major forums, I'm sure you'll see some valid conclusions)

valiliv, you don't quite understand what you're talking about either. Blizzard can, and probably will take actions on auto-it bots in the near future. (They can easily start process scanning again, which will pretty much screw all the other public bots available) Most of the "small time" bots (small time in comparison to Glider/IS based bots that is) are not currently worth Blizzard looking at, since their userbase is probably within the 10k range. (Glider + IS is somewhere around 150k+ easily.) Also, the 5/20 banwave, was NOT FROM WARDEN. I don't know how many times I need to explain this. Warden had not changed. Period. They implemented some extra code within the binaries themselves (the exe/dll's for those of you who don't know what "binaries" are) which caught everyone. Something they hadn't done since 2.0.1 IIRC.

Also, UG's statement on "the longer you bot, the higher chance you have to get banned" is absolutely true. If you bot for 5 minutes, your chance of a player report is next to none. So that's one way of banning out the window. Chances of a GM seeing you actually bot is also next to none. Another one out the window. Detection however, stays the same no matter how long. So do the math.

Anybody who says their bot will "remain undetected" is ignorant of what they're up against. Please do some actual research before posting things that aren't true, and deceiving the public.

[valiliv]

APOC you are right about a lot of stuff, and im not trying to disagree with you.
- I wrote clearly that 5/20 was NOT from warden. without = NOT.
- We both don't know the future. I think we can agree there And i don't have proof, but I will say this opinion: relatively few people use OB. like really VERY few. IS costs money, OB is hellishly difficult to real get working "perfect", and the attitude of "OB is for devs only, diaf user noobs" doesnt help. 14000 DL 2.6 in almost half a year, the most popular routines top out 1500 total DLs. the forum goes days between a new post. YET BLIZZ IS STILL WHACKING IT. It's a fact, just like "Blizzard hasn't done jack to detect and permaban autoit bots" is a FACT. Don't know why, by that's the way it is. If (big if) Blizz decides to go after Zolo/Flo, we'll find out if wowpanda's "guest user" theory is correct. I have a feeling it is, since zolo interacts with wow in very different (and fewer) ways than glider/OB.

and obviously my comment about ban chances is referring to detection only. getting player-reported and actioned is a different story completely.

OB is absolutely awsome and it's a shame it got caught up in the glider mess. maybe too many power-leveling sevices where using it. I personally don't have a clue why Blizz clearly is expending a lot of effort to detect it and mercilessly ban one and all, while just as clearly they are completely ignoring the "non-intelligent" bots that just jump around AV cave or go around exact same paths farming mobs.

[Apoc]

APOC you are right about a lot of stuff, and im not trying to disagree with you.
- I wrote clearly that 5/20 was NOT from warden. without = NOT.
- We both don't know the future. I think we can agree there And i don't have proof, but I will say this opinion: relatively few people use OB. like really VERY few. IS costs money, OB is hellishly difficult to real get working "perfect", and the attitude of "OB is for devs only, diaf user noobs" doesnt help. 14000 DL 2.6 in almost half a year, the most popular routines top out 1500 total DLs. the forum goes days between a new post. YET BLIZZ IS STILL WHACKING IT. It's a fact, just like "Blizzard hasn't done jack to detect and permaban autoit bots" is a FACT. Don't know why, by that's the way it is. If (big if) Blizz decides to go after Zolo/Flo, we'll find out if wowpanda's "guest user" theory is correct. I have a feeling it is, since zolo interacts with wow in very different (and fewer) ways than glider/OB.

and obviously my comment about ban chances is referring to detection only. getting player-reported and actioned is a different story completely.

OB is absolutely awsome and it's a shame it got caught up in the glider mess. maybe too many power-leveling sevices where using it. I personally don't have a clue why Blizz clearly is expending a lot of effort to detect it and mercilessly ban one and all, while just as clearly they are completely ignoring the "non-intelligent" bots that just jump around AV cave or go around exact same paths farming mobs.

The OB userbase is small in comparison to Glider. That's an obvious fact. However, Warden being mainly packet based (which not even Windows security can prevent since it's a requirement for the game itself) can easily get around Zolo's protection scheme. (Not even wowpanda can argue this fact. And if he/she does, he/she is naive)

The 2.6 release on the forums only has 14k downloads, yes. However, OB moved to an open SVN a few weeks after 2.6 was released. (And has since moved servers three times) The downloads are much higher on the SVN than on the release thread. (30k last I checked, probably 10k or so being from people re-downloading the source to start from scratch) So 20k or so unique users. That's not a little by any means. (Glider has roughly 100k users) And OB really is not that difficult to set up, people just make it much harder than it actually is, because it's not a one click solution like Glider is. (And for good reason)

Not to mention, the majority of the OB community is based in IRC. The forums are there for keeping retained info. IRC is used much more often. So it's no surprise that the forums get so few visits. (Also most of the major routines that are on the forums, are now part of the OB core itself, so there aren't many downloads there either)

On a side note, I apologize for my misreading of your post.

However, Blizzard used to ban auto-it entirely. (Whether it was bots for WoW or not) That should be a pretty good indication of how easy it is for them to start banning again.

[benny32]

@Apoc

There are many valid conclusions to be found in relation to server side detection, many of them just as valid as the next. That's my point, we're just guessing around them and to a point I believe Blizzard does too. I think I've seen posts where you agree on that as well, they take into account a bunch of different indicators and ban when you meet X amount of indicators. That's what I meant by guess work. We know many of the factors but it's hard to say with certainty what it was that got you and we don't really have any threshold to compare against.

I'm not saying anything new here but in every detection thread posted on any boards people like to say "for sure I was banned because X happened" when most of the time it was a combination of things, most of them controllable by the player.

Anyway, enough said by me not really providing anything new here.

[Apoc]

@Apoc

There are many valid conclusions to be found in relation to server side detection, many of them just as valid as the next. That's my point, we're just guessing around them and to a point I believe Blizzard does too. I think I've seen posts where you agree on that as well, they take into account a bunch of different indicators and ban when you meet X amount of indicators. That's what I meant by guess work. We know many of the factors but it's hard to say with certainty what it was that got you and we don't really have any threshold to compare against.

I'm not saying anything new here but in every detection thread posted on any boards people like to say "for sure I was banned because X happened" when most of the time it was a combination of things, most of them controllable by the player.

Anyway, enough said by me not really providing anything new here.

Thank you for making mine, and your point more valid. Server side detection is entirely speculation. However, client side is far from it. (Hence why smarter looking bots don't usually get player reports. [I.E, not running into things constantly, fighting mobs it shouldn't be, etc])

[Haitamo]

I love this post now we just need merc to make a user and starts arguing and belive me all of u master anti warden minds will find a way to own them.
I for one do not belive that warden is as strong as we belive it is.
I was using cheat engine in wsg the other day to get an account banned i farmed 14k honor speed hacking getting the flag and coming back and the stupid acccount is still not banned -_- .
I use fall dmg off quit often using WOWEMU HACKER and then mountain climb back.

If someone can explain this to me why warden doesnt detect it ....
anyway i find apocs comment very interesting and wowpanda belive me if glider loses the lawsuit openbot will cut its user database and then... UR NEXT