Skip to main content

Flight sim group put malware in a jet and called it DRM

Planely wrong

Update: The developers now say they were hunting for one single pirate.

A company who makes add-ons for Flight Simulator X included malware in one of their downloadable jets, players have alleged. The malicious file is called ‘test.exe’ and it is designed to extract passwords from the Chrome web browser, according to the user who discovered it. The company in question, Flight Sim Labs, have since replaced the dirty jet with a clean one. But they say that to claim the file "indiscriminately dumps Chrome passwords" is "not correct information", adding that the malware was “only extracted temporarily” and that it was targeted at pirates. The head of the company describes the file as “DRM”.

Flight Sim Labs usually make planes you can download for Microsoft’s Flight Simulator X, like the Concorde-X. Or other tools, like one that lets you control the lights on your aircraft. But an installer for one plane, the A320-X (an airbus commonly used by EasyJet or American Airlines) was triggering anti-virus alerts for some players. Reddit user crankyrecursion examined his copy of the installer “simply out of curiousity” and found the embedded malware. He then posted a notice for other players.

"... there seems to be a file called 'test.exe' included. This .exe file... is touted as a 'Chrome Password Dump' tool, which seems to work - particularly as the installer would typically run with Administrative rights (UAC prompts) on Windows Vista and above."

“I'm a technical person by nature,” he told us, “and I was keen to understand why exactly the installation package was triggering antivirus alerts so often.”

Watch on YouTube

The head of Flight Sim Labs, Lefteris Kalamaras, responded to concerned pilots on the company’s forums, claiming that the Reddit post was made by someone with a pirated copy.

“First of all - there are no tools [his emphasis] used to reveal any sensitive information of any customer who has legitimately purchased our products… ”

However, he then admits that there is a “specific method” which affects anyone whose serial number matches versions being shared on piracy websites like The Pirate Bay. In other words, the password-extracting ‘test.exe’ file was in all copies of the installer but only “triggered” if the user was deemed a "pirate", according to Kalamaras.

“‘Test.exe’ is part of the DRM,” he said, “and is only targeted against specific pirate copies of copyrighted software obtained illegally.”

If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us... That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals.

Unsurprisingly, players were not convinced. They continued to complain and Kalamaras later amended the post, saying that the offending malware has been removed from the installer completely.

“… we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part,” he said.

So, yeah, turns out imaginary planes is a muddy business. For context, Flight Sim Labs are selling their A320-X airbus for $99.95 , so it’s not that surprising a black market in these digital aircraft has arisen. This is clearly a problem for those who work on the aircraft and rely on good sales for a paycheck. However, putting password-farming malware into your airplanes probably isn’t the most sensible response.

"I think their official response leaves a lot of information out," said crankyrecursion, the user who discovered the malware, "and is a blatant attempt at trying to divert attention away from the real issue and back towards piracy.

"I imagine there would be a lot of issues surrounding them having users' passwords stored on their servers, particularly if the lists included banking details or perhaps work usernames and passwords. Computer code is never 100% perfect and it would be easy for legitimate customers to be swept up in this "pirate-only" DRM."

We’ve contacted Flight Sim Labs for comment and will update this story if they get back to us.

Read this next