Flight sim DLC maker used malware to steal pirates' passwords

https://www.techspot.com/news/73349-flight-sim-dlc-maker-used-malware-steal-pirates.html

The piece of software in question, DLC from Flight Sim Labs, Ltd. (FSLabs, for short), reportedly included a file called “text.exe” which apparently extracts all saved usernames and passwords from Chrome and seemingly sends them to FSLabs.

Andrew Mabbitt, founder of cybersecurity company Fidus Information Security, described it as “by far one of the most extreme, and bizarre, methods of Digital Rights Management (DRM) we’ve ever seen.”

Lefteris Kalamaras, founder and owner of FSLabs, had the following to say in a forum post:

1) First of all - there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

http://www.guru3d.com/news-story/flightsimlabs-injected-viral-like-drm-into-its-distribution.html

https://motherboard.vice.com/en_us/article/pamzqk/fs-labs-flight-simulator-password-malware-drm

http://www.ibtimes.co.uk/flight-sim...sword-stealing-malware-tackle-pirates-1662513

 

So, how does storing all usernames and passwords help against piracy? The usernames would seem sufficient - a facebook and Google account username would help to identify you. Taking the passwords makes it look legitimately sketchy. It seems that the passwords are also uploaded sans adequate encryption, which would be further sketchy if so.

Am I right in thinking that they are also using a password extractor that has been made by somebody else? If so, it'd be interesting to see how they're ensuring that it only targets users who install pirate copies.

On the plus side, this has made me think about better ways of storing passwords than Google Chrome's built-in password manager.

Link to the thread on their forums if you want to see customer relations 101 in action:

https://forums.flightsimlabs.com/index.php?/topic/16210-malware-in-installer/

 

Update, I found a clarification of the issue: (Well, it's still quite obscure)

"Hello all,

We feel that it's only fair that we disclose fully the extent of our DRM efforts here. So let's discuss exactly that now - but first, I need to personally direct my attention to those who feel offended by our actions and to say that we realize it's an issue whose extent we hadn't grasped at first, but now fully understand and apologize that we offended you in any way.

I also want to thank the majority of our customers who have declared their support and continued trust already but for those who feel their trust was violated, we feel it's only fair to offer full refunds of your paid P3Dv4 purchase, just let us know through a support ticket.

1) So - what exactly did our P3Dv4 installers do?

As soon as the user entered their customer information (order ID / serial number / email) it verified this against our server database. Genuine customers and any other legitimate serial numbers trigger a full proper installation and no tool was called / used to figure out any pirate info. The installer that temporarily extracted the tool would remove it as part of its normal cleanup operation upon proper installation completion. Please also keep in mind this was not an issue with earlier FSX / P3Dv3 products.

2) What happened with misspelled / misunderstood / unknown serial numbers?

As soon as any such wrongfully typed or mistyped piece of information would be detected, the installer would simply alert the user on the mistype and return to ask for the data again. It would not cause any tool to be called to figure out any pirate info, it simply stopped and waited for corrected information.Again, no personal data would ever be extracted.

3) When - exactly - would the tool be triggered?

Flash back to our first A320-X release for FSX / P3Dv3 (32bit) - we discovered soon after the release of our product for those simulator versions that there were specific crackers who were successful in sidetracking our protection system by using offline serial number generators. We could not find how this would happen, but we happened upon a particular set of information (username / email / serial number) that would occur recurrently from specific IP addresses. We tried to add more tests in our subsequent installer releases, but the specific crackers were also upping their game in ensuring they sidetracked our installer. We even went so far as to figure out exactly who the cracker was (we have his name available upon request of any authorities), but unfortunately we could not be able to enter the registration-only web sites he was using to provide this information to other pirates. We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly - and ONLY his information (obviously, we understand now that people got very upset about this - we're very sorry once again!) as we had a very good idea of what serial number the cracker used in his efforts.

With our P3Dv4 installer, we discovered through more detailed installation logs that there was a specific set of pirate data that came up over and over again - so we decided to target that set of data directly. As a result, we made our server listen for a specific subset of data sent from the installer and when that was triggered, to dump that cracker's information needed for us to gain access to those illicit web sites, so we could then forward the information to proper legal authorities.

What is very ironic here was that this method worked, in fact, and we were able to receive this information. We discovered with dismay that behind this person, there was an entire web of operations that had been set up that not only provided an interested person with a pirate copy of our product, but it used its own eSellerate key generators together with offline activators (by changing the activation server IP addresses to match the pirate servers) that would validate those keys directly. Apart from our company, there was a whole host of other flight simulator developer companies whose products were being shared and offline keys generated.

Here are two images that showcase two of the web sites in question. In the first, one can clearly see how extensive the damage to all our favorite add-on providers is.

4) How does that affect YOU as a customer?

The tool that was used to dump the pirate's information will never execute on your machine - unless you were the particular person targeted that used that set of data mentioned above. Even if only some of the data matched, the installer would receive a negative response from our server and never execute it. Safe-guards on our servers ensured there was no possibility that any user other than the one targeted would actually have his personal details compromised. Even so, we realize that it doesn’t justify even temporarily extracting it via the installer on people uninvolved with this situation – this was a mistake.

5) Realizations

As I mentioned in the first paragraph above, I wanted to ensure full disclosure first and foremost to our customers, some of who feel their trust was violated. This was not our intention and we take full responsibility. What we now understand to have been an overly heavy-handed approach to our DRM installer efforts also meant that our support team strictly followed the instruction guidelines without being aware of the inclusion of DRM tools in any of our installers.

I also want to reiterate there was no personal data sent or kept that would mean a breach of privacy, except for that subset of information regarding the web sites mentioned above.

We have already replaced the installer in question and can only promise you that we will do everything in our power to rectify the issue with those who feel offended, as well as never use any such heavy-handed approach in the future. Once again, we humbly apologize!

19 FEB 2018

Lefteris Kalamaras"

https://forums.flightsimlabs.com/index.php?/announcement/11-a320-x-drm-what-happened/

 

Huh, that’s pretty interesting. While it’s a bit scary to legit customers I’d imagine, I don’t really feel any sympathy towards people targeted by this.