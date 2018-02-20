A flight sim company who put malware in one of their jets now say they were only after one person, in an attempt to downplay how many users were affected by what they described as “DRM”. As we reported yesterday, Flight Sim Labs normally sell planes to players of Flight Simulator X, but they recently included a malicious file called ‘test.exe’ in an installer for a popular airbus (you might have seen it if you’ve flown with EasyJet). The malware was designed to dump usernames and passwords saved in the Chrome browser. When this was discovered, the head of the company said the malware was targeted at pirates. It only ‘activated’ if the person installing the plane was using a pirated key to do so, he said. But they now claim they were using the clandestine .exe file to target a single, specific person.
The head of the company, Lefteris Kalamaras, made a post to the Flight Sim Lab forums, admitting again that the dodgy file was embedded in the installer. As in previous posts, he refers to the malware as “DRM” – digital rights management. He then goes into more depth about what they did and why.
First he explains what would happen if you were a “genuine” user running the installer for the airplane:
“As soon as the user entered their customer information (order ID / serial number / email) it verified this against our server database. Genuine customers and any other legitimate serial numbers trigger a full proper installation and no tool was called / used to figure out any pirate info. The installer that temporarily extracted the tool would remove it as part of its normal cleanup operation upon proper installation completion.”
Finally, he zones in on their reasoning for including this “tool” at all – to find the people who were cracking their airplane add-ons and distributing keys online for free (for context, this particular aircraft normally costs $100).
“…there were specific crackers who were successful in sidetracking our protection system by using offline serial number generators. We could not find how this would happen, but we happened upon a particular set of information (username / email / serial number) that would occur recurrently from specific IP addresses. We tried to add more tests in our subsequent installer releases, but the specific crackers were also upping their game in ensuring they sidetracked our installer. We even went so far as to figure out exactly who the cracker was (we have his name available upon request of any authorities), but unfortunately we could not be able to enter the registration-only web sites he was using to provide this information to other pirates.”
And from here, it just gets more and more Netrunner.
“We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly – and ONLY his information (obviously, we understand now that people got very upset about this – we’re very sorry once again!) as we had a very good idea of what serial number the cracker used in his efforts.”
In other words, they began to put malicious software into their airplanes in an attempt to catch some pirates. But the focus shifted, according to Kalamaras, to keeping track of a single cracker.
The post goes on to say they intended to send all the collected information about this cracker to the “proper legal authorities”. Although it neglects to address the legality of installing malware on the computers of innocent users in the first place, nor the legality of harvesting usernames and passwords from anyone, whether they are a pirate or not.
This continues to be a grubby story. The whole shebang has been dissected by Fidus Infosec, an information security firm who made a post attempting to answer five pertinent questions:
- What legal boundaries is this pushing, if not directly breaking the law?
- How is the data being sent to FSLabs?
- How is the data being secured and who has access to it?
- What exactly are people’s usernames and passwords being used for?
- What on earth were they thinking?!
They confirmed that the file ‘test.exe’ was indeed malicious, and that it was designed to “extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format”. But through their testing they also concluded that “the password dumping tool (test.exe) is only called when a fraudulent serial is used” just as Flight Sim Labs attest.
However, the infosec folks also found that any captured information was being sent back to the servers of Flight Sim Labs in a badly encoded format (in Base64 – the encryption equivalent of wrapping a confidential memo in a few obscuring layers of cling film). They also questioned the security of the servers themselves, and summarised their thoughts like this:
“Whilst we fully understand the importance of DRM and combating piracy, it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it.”
There are still unanswered questions. How many people – pirate or otherwise – have had their usernames and passwords taken by the malware? What has happened to those usernames/passwords? And how many people used the dirty installer legitimately, thus briefly hosting malware? We’ve emailed Flight Sim Labs with these questions and more, and will let you know if we get a response. But don’t hold your breath.
20/02/2018 at 13:40 Lexx87 says:
I’m actually surprised they didn’t realise how obviously they would get caught in doing such a daft thing.
20/02/2018 at 15:17 aepervius says:
And they certainly failed to consult a lawyer. Which would have told them this is highly illegal. Vigilantism is not authorized in any first world country as far as I know. You are not allowed to hack back… Or steal password. Not only what they gathered would be non receivable because it would be hard to prove any custody chain but also it is highly illegal.
20/02/2018 at 13:40 Vilos Cohaagen says:
Wow, this is so illegal in the UK and EU.
20/02/2018 at 13:56 sosolidshoe says:
But don’t you get it? They’re targeting *evil pirates*. They’re *heroes*. They’re basically *internet Batman*. Totes justified yeh.
Yes, that’s sarcasm, for the avoidance of doubt. But it’s not an uncommon attitude, sadly, and this kind of behaviour is the natural result of casting file sharing as a good vs evil moral and legal battle for the very soul of creative endeavour, and it’s only illegal right now because the bigger corporations haven’t yet boiled our collective frog for long enough to successfully get it made legal.
20/02/2018 at 13:57 Drib says:
I’m not sure about legality in the US, given how uh, special our government is when it comes to tech and DRM.
But I do know this is shady as balls. No one will ever trust your company again, guys, was that what you wanted? There’s no reversing from that.
20/02/2018 at 14:47 SaintAn says:
Capcom did that before years ago iirc. Think it was included in a Street Fighter game. Memory fades and most people are too mindless or brainwashed to stand up for themselves so they submit and let things like this happen and continue to support such corporations.
20/02/2018 at 15:01 Drib says:
I don’t recall them outright stealing passwords, but I do vaguely remember some DRM kerfuffle with them and one of the Street Fighter games.
Yeah. Maybe it won’t be remembered forever, you’re right.
20/02/2018 at 15:07 Drib says:
Looking it up, SF4 had GFWL, which… yeah, sucks, but doesn’t steal data.
SF5 had some weird rootkit that COULD have been used to nick data, but wasn’t specifically designed to do so.
Those are pretty far removed from this particular thing.
20/02/2018 at 13:57 satan says:
IT WAS JUST A SOCIAL EXPERIMENT BRO!
20/02/2018 at 14:50 Qazinsky says:
Yeah, ok, I believe you, SATAN!
20/02/2018 at 14:01 Lobotomist says:
How are they not prosecuted for this ?
20/02/2018 at 14:26 Pogs says:
Its early days. I’m sure they will be having a friendly call from the European Data Protection people.
20/02/2018 at 14:08 Kollega says:
Ladies and gentlemen and everyone else, this is what I can freely call “cyberpunk for blockheads”.
20/02/2018 at 14:11 Cvnk says:
I don’t use Chrome (or any web browser) for password keeping so I’m not personally worried but I’m curious how they were able to access and decrypt that information.
20/02/2018 at 14:32 Cvnk says:
Some quick reading reveals that I should not have been surprised by this element of the story. Chrome password dumping is nothing new or unique.
Still, seems strange to me that it should be this trivial. I realize that the main value in a password manager is eliminating password reuse and encouraging complex and random passwords to protect you against online breaches but I also expect the local store of those passwords to be reasonably secured.
20/02/2018 at 14:35 Lord Byte says:
By allowing “elevated controls”, the ubiquitous “Run in adminstrator mode” it seems that allows it to bypass the requirements for using your username and windows password in Chrome to access the encrypted usernames and passwords.
Seriously, any properly designed software should NEVER require it to be run in “Adminstrator mode” as it allows it to basically do anything to your computer. It’s really not that hard to stay within the rights of the system, unless of course, your software is specifically made to tamper outside of its “allowed” spaces (like Temp, Appdate, Documents and so on)
20/02/2018 at 15:09 Skabooga says:
Woah, woah, woah, I think we are all just glossing over the fact that they are charging $100 for a virtual airplane. I mean, what? Is that normal? (I have a feeling that it must be, but not being a flight sim enthusiast, I feel compelled to ask those with more experience.)
20/02/2018 at 15:21 percydaman says:
Pretty egregious but not surprising I guess. I mean those games are still rather niche in the grand scheme of things. And the amount of work they do to recreate the planes. I’m not surprised they think they should charge 100 bucks a pop in the hopes of getting their investment back. I would never pay that, but I suppose some do, or they wouldn’t make em.
20/02/2018 at 15:34 poliovaccine says:
Actually I was scrolling down to say the same thing. Like, no wonder they give such a shit about pirates, and no wonder people want to crack their stuff!
I think that is fairly normal in the world of hardcore simmers, but that still feels like it’s just taking full advantage of the niche to which these people belong, knowing they have to pay these exorbitant prices if they want to participate at all. I really don’t know how sims over the years have justified their insane-o prices, especially when gamers of every other stripe often consider $60 too much for hundreds of hours of entertainment out of a game made on a seven figure budget. I’ve been surprised before at figures like that, and it’s always coming from hardcore flight or train sims, or else hardcore war games. Someone else will have to explain to me why folks are cool with that, though.
20/02/2018 at 15:13 causticnl says:
I can see “Sort of” the reasoning behind it, its stupid yes, what they did, and they should get burned for it. But looking at the employment at their company I think they just wanna model airplanes, and have 0 knowledge of DRM, and how to deploy it. And if its just for one person I really wonder if its worth all the trouble, yes, those planes cost more then 100 bucks, and its a small market they operate, so any lost sale will be felt (wich they will now feel anyway), Ill wager the people downloading those “pirated” versions werent planning to buy them anyway.
20/02/2018 at 15:25 percydaman says:
Seems likely. I mean not every pirated game isn’t a lost sale, but when you’re charging 100 bucks a pop for a single plane, you’re gonna get people who would have never purchased it, whether they had a pirated version of it or not. But you’re right. I’m sure ever lost sale to them hurts. Probably easy for them to fall into the fallacy that a pirated plane equals 100 bucks out of their pocket.