Jump to content

Bot clients can be detected and flagged immediately depending on OS

caketeaparty

By caketeaparty
in Botting & Bans

 Share

Recommended Posts

caketeaparty Iron Poster

caketeaparty

Posted
Posted

I tested this with some throwaway accounts since primes are so cheap and easy to get.

I've always been curious about how different OSs factor into bot detection and I finally got the opportunity to do so. I never really use anything other than the latest Windows/Linux, and this was enlightening to say the least.

I had accounts on Ubuntu 16.04, Windows Server 2012 R2, Windows Datacenter 2016, and finally Windows 10 Home. I used clean residential ips for each.

I logged in on a few bot clients on each OS, but get this, the accounts that logged into these clients on Windows Server 2012 R2 were detected and banned for a Macroing Major in a few hours despite never running a script or botting (I never botted these accounts on creation nor were the IPs "creation banned"). It didn't matter how many times I changed IP on the rotating network, the result was the same. It seems older/unusual versions of Windows are highly exploitable as key heuristics and if they detect what client you're using and it's something they can recognize as a bot client, it's over. This would explain why some people report getting banned right away or just for playing on a bot client while others like myself never do.

What's more, I then botted accounts with the same scripts and behold, only the Linux and Windows 10 Home accounts survived after a week. Needless to say I stopped using Windows Datacenter 2016 on my servers and uploaded a Windows 10 Home image instead, otherwise I use Ubuntu just fine. This is pretty much irrefutable proof to me that they do in fact try to detect bot clients and will outright ban you simply for logging in on one. Different OSs mostly use different JVMs, and other quirks about them might be exploited to determine whether you're using a bot client.

So far, IP, OS and mouse movements/script patterns seem to be the dark triad of bot detection. Be careful.

  • Like 2
Link to comment
Share on other sites
manko Black Poster

manko

Posted
Posted
1 hour ago, caketeaparty said:

I tested this with some throwaway accounts since primes are so cheap and easy to get.

I've always been curious about how different OSs factor into bot detection and I finally got the opportunity to do so. I never really use anything other than the latest Windows/Linux, and this was enlightening to say the least.

I had accounts on Ubuntu 16.04, Windows Server 2012 R2, Windows Datacenter 2016, and finally Windows 10 Home. I used clean residential ips for each.

I logged in on a few bot clients on each OS, but get this, the accounts that logged into these clients on Windows Server 2012 R2 were detected and banned for a Macroing Major in a few hours despite never running a script or botting (I never botted these accounts on creation nor were the IPs "creation banned"). It didn't matter how many times I changed IP on the rotating network, the result was the same. It seems older/unusual versions of Windows are highly exploitable as key heuristics and if they detect what client you're using and it's something they can recognize as a bot client, it's over. This would explain why some people report getting banned right away or just for playing on a bot client while others like myself never do.

What's more, I then botted accounts with the same scripts and behold, only the Linux and Windows 10 Home accounts survived after a week. Needless to say I stopped using Windows Datacenter 2016 on my servers and uploaded a Windows 10 Home image instead, otherwise I use Ubuntu just fine. This is pretty much irrefutable proof to me that they do in fact try to detect bot clients and will outright ban you simply for logging in on one. Different OSs mostly use different JVMs, and other quirks about them might be exploited to determine whether you're using a bot client.

So far, IP, OS and mouse movements/script patterns seem to be the dark triad of bot detection. Be careful.

they have done this for years, back in 2017 i tryed to come back to RS logged in at the time on my main (7 99s) and right away just logged out, no bot run just logged in on the client and the account was banned right away. so they have been able to do it for a long time.

Link to comment
Share on other sites
uzlz Steel Poster

uzlz

Posted
Posted
1 hour ago, Neo Elvemage said:

What is your sample size on WS2012?

 

i would like to know this too, there are many false positive bans of accounts once tutorial island is completed. Regardless this does provide some insight into bot detection but how does it work? For example if i were to use mirror mode, is RS only looking at the type of client I'm using or all open apps on the computer?

Link to comment
Share on other sites
Protoprize Mithril Poster

Protoprize

Posted
Posted

I'm not gonna lie, but i've noticed the same kind of behaviour? 

Every account that I seem to run on windows gets banned quicker? Hard to explain but I've gone through like 15 accounts since I registered on osbot.

I travel a lot so I use a my macbook for botting most of the time, but the moment I start doing anything on windows at home, the accounts seem to get banned quicker! I've experienced the same thing while testing other clients, the accounts that I run on my macbook are still alive, but the windows ones are banned. One of my big examples, is an account ive worked on for over a month, it was pretty much all botted on macOS, then i moved country (still using the same proxy but completely different unused computer) all it took was a day and it got banned (2 day), got it back and botted on macos for another couple of days while running errands, then left the account for like a week to rest, logged it into osbot on windows (mind you, i didn't run any automation scripts, only my own helpers which just show overlays) and it took a couple of hours till it got banned again.

Started over again on a fresh proxy, fresh install of windows and different HWID. Account was banned within 2 days (i did tutorial island manually and a couple of other small things). Did the same exact stuff on macOS at the same time. That account is still going fine (hell, I accidentally left it on doing aerial fishing for like 12 hours and a week later, it's still running fine with no ban).

Also one major thing to avoid.... the in-game map, ever after all the patches, I still feel like it is one of the main causes of bans for whatever reason.... also, other clients have it completely disabled due to detection issues so there is that 🤷‍♂️

The old saying still applies though in the end..... bot smart, not hard 😉 

Link to comment
Share on other sites
Tony22 Iron Poster

Tony22

Posted
Posted

I've been running a bot recently for about a week now, 14 hours a day and he's about 80 range now. I guess it can depend on the script and whether or not you are using mirror mode. Mirror mode has really helped with the ban rate since it mimics the old rs vanilla client. Definitely worth investing in. Here's a proggy.

 

889480368_proggy2.PNG.e0cd93cb9c2172bba7b943d47d914ff2.PNG

 

Link to comment
Share on other sites
Protoprize Mithril Poster

Protoprize

Posted
Posted
2 hours ago, Johno R said:

Exactly and mac os and linux are very similar, maybe be comming on to something but why is it easy to get ban on windows is the question.

 

2 hours ago, Tony22 said:

I've been running a bot recently for about a week now, 14 hours a day and he's about 80 range now. I guess it can depend on the script and whether or not you are using mirror mode. Mirror mode has really helped with the ban rate since it mimics the old rs vanilla client. Definitely worth investing in. Here's a proggy.

 

889480368_proggy2.PNG.e0cd93cb9c2172bba7b943d47d914ff2.PNG

 

Mirror mode has always been fine for me on windows (hell, i used to swear by it as it as it lowered my ban rates by so much) but ever since I moved to botting on macos, I've not had the issues people are talking about with bans on stealth injection

Gonna install manjaro on my main desktop and see how far that goes :)

 

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
Posted

This would further backup the theory that after X hours of botting, you're put in a tier of anti-bot that loads native level detection - such as detecting whether a mouse click is coming from hardware, windows API, or being created directly inside the JVM it's self. Different OS's would require different methods and API. Many client side anti-cheats such as EAC utilize the same detection methods for detecting aimbot or macroing. 

Link to comment
Share on other sites
beezdul Newbie

beezdul

Posted
Posted
21 hours ago, asdttt said:

This would further backup the theory that after X hours of botting, you're put in a tier of anti-bot that loads native level detection - such as detecting whether a mouse click is coming from hardware, windows API, or being created directly inside the JVM it's self. Different OS's would require different methods and API. Many client side anti-cheats such as EAC utilize the same detection methods for detecting aimbot or macroing. 

Idea: Run some bots and as soon as they get banned create a memory dump.

Link to comment
Share on other sites
Acke Steel Poster

Acke

Posted
Posted
On 6/7/2019 at 7:49 AM, Protoprize said:

 

Mirror mode has always been fine for me on windows (hell, i used to swear by it as it as it lowered my ban rates by so much) but ever since I moved to botting on macos, I've not had the issues people are talking about with bans on stealth injection

Gonna install manjaro on my main desktop and see how far that goes :)

 

Hey, which version of manjaro? Currently downloading xfce 😄

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...