Riot Games INFECTS League of Legends Windows Gamers with Rootkit, Breaks LoL on Linux Entirely

Riot Games has decided to break their game, League of Legends, for Linux gamers under the guise of stopping cheaters. If you’re playing League on Windows, then it’s much worse for you. As a Linux gamer, the affect is pretty obvious, lol, it’s broken but if you’re on Windows, you should stop playing this game and just go play Dota 2. Riot Games has never officially supported League of Legends to be played on Linux so it’s annoying but it’s not surprising. The surprising part is that they just deployed a rootkit on the computers of the Windows League players. That’s why it broke on Linux, Linux is made in a way that they can’t force a rootkit on us so they just broke it instead.

For those that don’t know what a rootkit is, the term is a combination of root and toolkit. “root” is a Unix and Linux term that is the name of the useraccount with the most permissions on the system, (do whatever). Toolkit is a collection of software that implements a tool. Typically when you hear the term rootkit, it is related to some kind of malware but it’s not exclusively a malware term. Rootkits are sometimes made for developers to debug a system and all sorts of reasons. So if a piece of software, not a user, has this level of permissions it is a rootkit, regardless if it’s malicious or not.

Clearly this is not something that should be part of installing a game but there are even reports of people saying that Riot Games’ Vanguard rootkit has been bricking their computers making them unusable. I don’t know if that’s true but what I do know is that Vanguard from Riot Games is ridiculous overreach.

screenshot of the League of Legends page on Lutris.net that explains the issue with trying to play LoL on Linux

So what is Vanguard? Vanguard is the name of Riot Games’ anti-cheat tool. Anti-cheat tools are kind of understandable, cheating in competitive online games is pathetic and also pretty rampant. I get why they would want to stop cheaters but Vanguard is not just an anti-cheat tool, it’s a kernel-level anti-cheat tool and its not just a kernel-level anti-cheat tool but a permanent rootkit that you are required to install to play the game.

A kernel is the software that effectively makes an operating system work with the hardware of a computer so its like the heart or brain of the OS. Kernel-level means having access to everything the kernel has access to, which is everything.

Anti-cheats do not need to have kernel-level access. There are many anti-cheat tools like Valve’s VAC, Blizzard’s Warden, and 343 Industries’ Arbiter that do not need kernel-level access to be effective. So for those that claim it’s a “necessary evil” . . . no, it’s not . . . the word necessary means you have no other option . . . but they do though.

The video version of this article. Watch this if reading isn’t your thing 😀

In the blog post where Riot Games announced this rootkit being required to play League, they put a section of Frequently Asked Questions and in my opinion, some pretty lame answers to those questions. A lot of what bothered me about these answers is from perspective of a Linux gamer but some of them, let’s just jump into it:

Q. Isn’t Vanguard Spyware?
No, but I’m sure those words in that exact order are mathematically the fastest way to farm retweets. Content algorithms everywhere are programmatically addicted to the clicks the words “spyware” or “rootkit” can generate, and mathematically hunting for their next fix has steered them away from informative journalism and into a sort of faux-pandemonium that’s only remarkable in its unhelpfulness.

I’ve been an entrepreneur, most of my life. I have a lot of experience in many things. When people ask me what I do, I don’t like to say entrepreneur because it’s vague and kind of strikes me as pretentious. So instead, what I tell people has fluctuated over the years based on what business I was involved in at the time. I’m one of the co-founders of TuxDigital so these days I say I’m a media producer. At one point, I was running a marketing and design agency so I called myself a Marketer or Designer. All that is to say as a marketer, that answer I just read to you is what ticked me off enough to make this video, the sneaky marketing used in that answer . . . well.

They start off the answer with an outright denial, saying it is not Spyware and that is technically correct. Vanguard is not Spyware because the definition of Spyware includes the need for the software to be covert or hiding from the user aka spying. So on the basis that they told you about it, it doesn’t technically count as spyware.

The rest of their answer though, that’s what bothered me. They conveniently included the term “rootkit” next to the denial but without directly denying it being a rootkit. This is just my opinion but it came across to me that they were trying get people to associate their denial of Spyware, as also a denial of being a rootkit. They also surrounded this convenient inclusion of the term rootkit with language that suggests they are offended by the question, a question which they asked themselves.

Yea, it’s not Spyware but it does qualify for the criteria of a rootkit, it is a toolkit with root-like permissions. I’m not saying it’s a malicious rootkit but it doesnt have to be malicious to be a rootkit.

collage image of the websites for BattlEye and Easy Anti Cheat

Now, Vanguard isn’t the only kernel-level anti-cheat tool, BattlEye and Easy Anti Cheat from Epic Games both run at the kernel level. So yea, I’m not a fan of these rootkits either but there are some significant differences between these two and Vanguard. While yes, BattlEye and Easy Anti Cheat are kernel-level they only run while playing a game where as Vanguard is designed to be running all the time. That’s right, the moment you turn your computer on, Vanguard is there, watching you, no matter what.

The other big difference, at least for me as a Linux gamer, is that BattlEye and Easy Anti Cheat work on Linux, so games that use those can be played on Linux. Yes, I do realize I just said something that sounds like a contradiction. Earlier I said “Linux is made in a way that they can’t force a rootkit on us” so how do these kernel-level anti-cheats work for games in Linux? That’s where the awesomeness of Proton comes in. Proton is essentially a compatibility layer that Valve and a company called CodeWeavers made to make Windows games work in Linux. That’s right, there are thousands of games that you can play in Linux, right now, that were not made to be played in Linux. That’s how awesome Proton is.

the Proton project logo from Valve

The way Proton works is pretty complicated because it’s not just a single piece of software. Proton is based on a project called WINE, the purpose of WINE is to run Windows apps in non-Windows systems. WINE also can be used for games but it’s not focused on gaming which is where Proton comes in. Proton takes the WINE stuff and adds things on top for gaming. In order to run Windows apps, one of the things WINE has to do is reverse engineer the Windows kernel so there’s a WINE kernel to make this possible. This WINE kernel has a bridge made to work with the Linux kernel so this is what makes it possible for these kernel-level anti-cheats to work while not having access to the Linux kernel.

In my opinion, this structure actually makes Linux gaming better because you can get the benefit of the anti-cheat tools without having to deal with them getting the insane permissions they want. While we are on the subject, why does Microsoft even let them do this? People are saying they cant move the taskbar anymore, so Microsoft won’t let you move the taskbar but a kernel-level rootkit is a-okay apparently. I mean, whatever I guess, that’s why I use Linux anyway.

The next question they asked themselves, also had a weird answer.

Q: What if I am personally incompatible with Vanguard?
We get it, and we 100% respect your decision . . . if your beef is only about data privacy at Riot, running the game client or running Vanguard makes not one bit of difference. Data can still be retrieved from user-mode, and we’re all engineers for the same studio with the same goals, none of which are collecting your personal information. If Riot hasn’t earned your trust, do not run our software.

There it is, the good old trust guilt-trip. Now, there is an element of trust in all software and all of computing for that matter. You are trusting the operating system to be good to you, all of the apps you use to be good to you and all of the services you use to be good to you. There is a lot of trust involved in just using a computer.

However, kernel-level trust is usually exclusive to the developers of … the operating system or you know the kernel.

“we’re all engineers for the same studio with the same goals” . . . interesting how you forgot to mention that same studio is owned by a mega-corporation that makes $70 Billion USD a year called Tencent so you probably don’t even have final say. Oh and while I was researching this topic I saw some reports that says your servers were compromised affecting your players personal data and I guess you forgot to tell people about it for a year.

People not wanting to give kernel-level access of their to random people at some game company owned by a mega corporation, that’s not paranoia. That’s just called having good sense. I mean what if you hire someone who you thought was a good person but really they just were pretending so they could get access to this kernel-level rootkit that you put in every players computer that runs at all times. It’s not about trusting you, it’s about making good decisions and people shouldn’t have to voluntarily install a rootkit to play a video game.

Another answer that didn’t sit well with my marketer side was about the Linux support.

Q: What about Linux?
We’ve never officially supported Linux, and it’s true that the current Lutris-based implementation for League (that uses wine) will not be able to satisfy the Vanguard driver requirements. Linux does not currently afford us sufficient ability to attest boot state or kernel modules

Good job to all the devs who made kernel-level stuff not be an option. Thanks for that.

. . . and the difficulty in securing it is only compounded by all the frustrating differences between distributions.

Valve’s Steam client works on any Linux distro, so clearly that’s wrong.

Even allowing emulation is an exceptionally dangerous game, as many cheats could then just run on the host, manipulating or analyzing the VM in a way that would be invisible to Vanguard within it.

There are so many things wrong with this. First, just use Proton. Proton is not emulation so your complaint about that is irrelevant. Then you say, VM as in virtual machine or virtualization…thats not even emulation, those are different things.

Half of anti-cheat is making sure the environment hasn’t been tampered with, and this is extremely hard on Linux by design.

Again, good job Linux devs.

Any backdoors we leave open for it are ones developers will immediately leverage for cheats

LOL that’s so funny, you’re actually admitting you want to have backdoors into people’s computers

and yesterday, there were just over 800 Linux users on League. We have evaluated this risk to not be worth the payoff.

Here we go! A lot of companies like to claim that Linux is not big enough to be worth the payoff. This isn’t just gaming companies, it also applies to app companies too. But that 800 players on Linux looks pretty small huh? Well that’s because they are hoping you just see that number and ignore everything else. It said “and yesterday” . . . so that 800 Linux gamers applies to a single day. There’s more Linux gamers playing League obviously because not everyone would be playing on that one day.

This is enough to show they are misleading but my frustration skyrockets because they are trying to say it’s not worth it. I’d like to remind you of the beginning of this answer “We’ve never officially supported Linux” . . . and the part of the “Lutris-based implementation for League”. They are ignoring that in order to be one of those 800 Linux gamers, those people had to jump through a bunch of hoops and deal with a bunch of headaches to play their game because like they said they “never supported Linux”. The Lutris team are a group of awesome people making it possible to play games on Linux even when the gamedevs refuse to care about our platform. Here’s a list of what was needed for Linux gamers to do in order to play this game. Again, thanks to Lutris for making this much easier but this is a lot of stuff. I talked to one of the Lutris devs that worked on this who goes by the name Glorious Eggroll and he said that Riot Games also broke it all the time when they released new versions so he had to constantly fix things. By the way, he is going to be on my podcast soon for an interview, go to destinationlinux.net to subscribe.

So Riot Games, you are telling me that over 800 people, in a single day, were so interested in playing your game that they were willing jump through those hoops and have those headaches to play a game on a platform you never bothered to care about and you don’t realize how big the gamerbase would be if you just let us click a button that says play?

a very large play button in case it wasn't clear to Riot Games what I meant

BUT WAIT, there’s more. In addition to the trash logic to pretend the gamerbase is small there’s also the part where they claim Linux is “too dangerous” because cheats would be made as if that would be an easy thing to do. This would be a VERY hard thing to do. This would require developers to have the understanding of writing code for Windows, writing code for Linux, they would have to know how WINE works, they would have to know how Proton works, they would have to know the differences between WINE and Proton, they would have to understand how the bridge between WINE and Proton works to connect to the Linux kernel and thats just the stuff I can think of off the top of my head. Writing code for both Windows and Linux would already be a very big mountain to climb but adding all that and there’s probably even more. This would be such a massive thing to attempt that I doubt many would “evaluate this risk to not be worth the payoff”.

It’s not like Vanguard is even a full proof system to stop cheaters, something else that would be invisible to Vanguard is someone using a second computer to run the cheats. Someone having 2 computers is not that ridiculous. It wouldn’t take much to run those cheats, just a laptop would do it. In fact, a lot of streamers already do this, 1 computer for the gaming and 1 for the streaming. Now that I think about it, I remember when First Person Shooters started getting cheaters thanks to monitor companies. They would put crosshairs directly on the monitor so if a game removed the crosshair it wouldn’t matter. I haven’t looked up monitor cheats in a while, I wonder what is out there now.

. . . [a few moments later] . . . Okay, I love this now. 🤣 Technically, thinking about what this is implies, I don’t like it, but love the just the timing of this, the trolling of this.

MSI AI powered cheating monitor sitting on a table at CES demoing what it can do on League of Legends

MSI announced announced a monitor at CES that basically uses AI to help people cheat. It’s an AI powered cheating monitor . . . and the game that they show for the demo of it cheating is League of Legends.

That’s that’s beautiful. I mean, MSI is not really a good thing to do, but it is funny. It is very funny. And for those who are wondering, like, you know, couldn’t you just ban the monitor? I mean, they could just send the signal to the kernel telling it it’s a different monitor, you know, like a monitor that is similar, has similar specs, but doesn’t isn’t that particular one. So there’s really no way to actually stop it.

So in the case of that monitor, I don’t even know what you could possibly do. But most people aren’t going to be going out to buy a monitor for this particular purpose. Maybe some would, but most wouldn’t. And in the case of most cheats, they’re kind of annoying to set up, especially why you wouldn’t have any reason not to support Linux.

notice in League of Legends that says GAME TERMINATED / CHEATER DETECTED. Which ironically likely helps the cheater test

There are many ways to stop cheaters, it would be more effective to use statistics of players like in the case of a FPS, people who have 97% headshot percentage are clearly cheating since that is not even humanly possible. I am sure League has some kind of thing humans simply cant do. Some games have community report systems. Also you’re ending games and telling people it was because of a cheater, doesn’t that help cheat developers because they can check to see what causes the detection? That’s the point of ban waves so they cant use any data to test what triggered it. So many things wrong with this.

Q: What about OSX?

OSX? Really? Maybe they aren’t trying to mislead people about Linux with marketing spin. They might just be that clueless, they don’t even know what the name of Apple’s OS is and they make a game for it.

There isn’t yet as much tooling on OSX for script development, although the “need” is growing. For now, Mac won’t have Vanguard

So Linux gamers can’t play because it’s too dangerous or whatever even though making cheats on Linux would be absurdly difficult through Proton and all that but you made a native Mac version that doesnt have Vanguard at all and somehow that’s okay.

screenshot of the homepage of Dota 2 game from Valve

Once again, I’d like to bring your attention to Dota 2. It’s a game doesn’t require you to have ridiculous rootkit in your system, and people seem to love it. Some people like it more than League. So if you haven’t checked it out, Dota 2.

Sources: leagueoflegends.com, dotesports.com [1], levvvel.com, battleye.com, easy.ac, lutris.net, tomshardware.com, gamingonlinux.com, dotesports.com [2], [Wikipedia: Riot Games, Tencent, Rootkit], bitwit video

Share this post

Twitter
LinkedIn
Reddit
Threads
Facebook
Email

Be the first to comment at forum.tuxdigital.com