Flight simulator add-on used malware to steal pirates' passwords

Gamers are not happy that Flight Sim Labs added malware to the A320-X flight simulator add-on -- meant to be used with Microsoft Flight Simulator X and Prepar3D 3.0 -- in an effort to stop software pirates.

Flight simulator add-on used malware to steal pirates' passwords
Flickr/Nicolas Raymond

Imagine paying $100 for a flight simulator add-on that included malware to harvest passwords from the Google Chrome browser.

Flight Sim Labs believes infecting all users of its A320-X add-on with malware was a perfectly OK anti-piracy tactic, as it would only steal users’ passwords if the gamers were pirates. Is this extent of Digital Rights Management (DRM) even legal?

The issue first flared up on Reddit over the weekend after “crankyrecursion” discovered that the installer for the $100 A320-X add-on by Flight Sim Labs (FSLabs), meant to be used with Microsoft Flight Simulator X and Prepar3D 3.0, included “test.exe” – a Chrome Password Dump tool made by the company SecurityXploded. This was quickly verified by software developer Luke Gorman and then followed up with an analysis of the malware by Fidus Information Security.

FSLabs founder Lefteris Kalamaras initially responded to the outrage of the company’s DRM efforts by saying “there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.”

Tool was placed on all users' systems

In response, Gorman pointed out that was an “outright lie,” as the tool was indeed placed on all users’ systems — even if it wasn’t used.

Kalamaras claimed, “Test.exe is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally.” It activated or not depending upon the serial number inputted by the gamer; it was “a specific method used against specific serial numbers that have been identified as pirate copies.”

“If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us,” Kalamaras said.

Regarding the Chrome Password Dump tool, Fidus explained, “The command line-based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.”

Numerous antivirus solutions flag the tool as malicious. It is what happened to the Reddit user who raised the alarm. Yet it wasn’t an isolated incident. Fidus pointed all the way back to October 2017 when a gamer complained that ZoneAlarm flagged test.exe as a virus. FSLabs reminded the gamer that disabling AV when installing is recommended because “many AV engines see our installers as a virus, which they are not (also known as a false positive).”

“Whilst we fully understand the importance of DRM and combating piracy,” Fidus wrote, “it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it.”

In a different “what happened” post, Kalamaras gave a “full disclosure” to customers “who feel their trust was violated.” He admitted the company “even went so far as to figure out exactly who the cracker was (we have his name available upon request of any authorities), but unfortunately we could not be able to enter the registration-only websites he was using to provide this information to other pirates.”

He added:

We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers, so we decided to capture his information directly — and ONLY his information (obviously, we understand now that people got very upset about this — we're very sorry once again!) as we had a very good idea of what serial number the cracker used in his efforts.

With our P3Dv4 installer, we discovered through more detailed installation logs that there was a specific set of pirate data that came up over and over again — so we decided to target that set of data directly. As a result, we made our server listen for a specific subset of data sent from the installer and when that was triggered, to dump that cracker's information needed for us to gain access to those illicit web sites, so we could then forward the information to proper legal authorities.

FS Labs admits it was wrong, replaces the installer

However, FSLabs now understands that its DRM installer efforts were an “overly heavy-handed approach.” The company claimed: “There was no personal data sent or kept that would mean a breach of privacy, except for that subset of information regarding the web sites mentioned above.”

We have already replaced the installer in question and can only promise you that we will do everything in our power to rectify the issue with those who feel offended, as well as never use any such heavy-handed approach in the future. Once again, we humbly apologize!

It's not outside the realm of possibility that some users will not be pacified. It seems likely lawyers will be involved to address the legal, and possibly ethical, aspects of FSLabs DRM efforts.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)