
FlightSimLabs Alleged Malware Analysis - taylorexpander
https://medium.com/@lukegorman97/flightsimlabs-alleged-malware-analysis-1427c4d23368
======
taylorexpander
I thought I’d share this here to spread more attention to the practices of
FlightSimLabs, a flight simulator software shop.

The short version is that they included an executable in their installer that
when run would extract passwords saved in Chrome and presumably phone them
home. Their reasoning was that this was purely for DRM reasons. They claim
that this password stealing tool would not run for legit/valid serial keys.

This was only discovered by someone on reddit recently, and since this has
been public the developers have claimed they’ve removed the password stealing
malware from their installer. They have again made statements saying that this
tool was only used against pirated copies of their software. Not once have
they apologized and their users for the most part don’t seem to care.

~~~
toomanybeersies
So basically "you broke the law, so we'll break the law"?

~~~
kees99
Unfortunately, this sort of attitude is not unheard of among proprietary
software vendors - see for example FTDI bricking your hardware if they think
it's counterfeit:

[https://news.ycombinator.com/item?id=8493849](https://news.ycombinator.com/item?id=8493849)

~~~
IntronExon
Wouldn’t that be downright illegal? Moreover, someone bricking my hardware
would inspire me to forcefully return said “brick” to them, through their
nearest window.

~~~
draugadrotten
Wouldn’t that be downright illegal? Moreover, someone breaking my windows
would inspire me to forcefully discuss said behaviour with them, with their
nearest brick.

~~~
IntronExon
Totally illegal, but while I would _feel_ like tossing something through their
window, I would never do it. If only this company had as much of a moral
compass!

------
zelon88
I never understood the point of DRM.

"10 extremely determined people want to steal my intellectual property! I'll
go miles out of my way to design this in such a way that 1,000 people have a
crappy experience to slow down the 10 people who want to be pirates!"

 _Vendor makes a shitty product_

 _Pirates find a workaround, pirate shitty product anyway_

 _Vendor makes shitty product even shittier for all 1,000 people to agin try
to stop the same 10 determined pirates_

~~~
bunderbunder
There is a different philosophy of DRM, maybe less well-known because it
doesn't tend to produce newsworthy examples, that says that the goal is to
provide just enough of a nudge toward paying for the product that you're not
operating completely on the honor system.

Under this approach, you really only want to make pirating the software just a
little bit less convenient than paying for the software for most users.
Because most potential pirates aren't determined attackers, they're just
regular folks who are every bit as lazy and strapped for time as everyone
else, and therefore won't bother to spend a few minutes keying in credit card
information if they don't have to.

It's sort of analogous to turnstiles at train stations. Virtually anyone can
go around or under them if they want to, but that's not the point. The point
is that hopping a turnstile is just a bit more of a hassle than fishing your
transit card out of your purse. Just enough more that most people would rather
do that.

~~~
taneq
> The point is that hopping a turnstile is just a bit more of a hassle than
> fishing your transit card out of your purse. Just enough more that most
> people would rather do that.

I don't think it's even that it's more hassle, it's just a reminder of how
things are meant to work. Most people will do the right thing voluntarily once
their attention's been brought to it. Sort of like the courtesy lock on a
bathroom stall - it's not to physically prevent entry, it's just to indicate
that entry would be impolite.

~~~
zelon88
I wouldn't say that's necessarily true with software. Most of the time with
software if I'm looking into pirating something it's because I want it. I
don't need it, and therefore the cost is unjustified. Usually I try to go the
open-source route, but let's talk hypothetically here. There is a commercial
product that I want, but don't need.

I'm never going to buy it. Even if pirating it is unsuccessful, I'll just go a
different route. So trying to prevent me from pirating the software isn't
protecting profits. It's not persuading me to purchase anything. It's
persuading me to look for a free alternative or a competing product. It's
taking away it's own market share by pushing me away. I always laughed at
Microsoft's efforts to combat pirates. From their perspective any machine
running Windows, pirated or legit, is worth more to Microsoft than that same
machine NOT running Windows, NOT supporting the Windows ecosystem, and
supporting the competition instead. Even if they have to give the product away
for free.

If there's a product I need, or a product I need to have licensed for business
reasons, I will buy it regardless of whether or not I can pirate it easily or
not.

So, at least for me, pirating something is less a question of whether or not I
can get away with it than it is a factor of what I find that functionality to
be worth. If a $100 piece of software is too much for me I'll pirate it or go
somewhere else, but I'll never buy it.

Conversely, if the vendor saved themselves the development time and skipped
the DRM to drop the price down to $75 I might consider buying it, even though
I could easily pirate it.

It comes down to value. Just because a vendor wants to make $100/unit doesn't
mean their product is worth $100/unit, and it doesn't mean I'll ever pay
$100/unit. If another product can do the same task for $50/unit that's likely
the route I'll take.

------
buserror
In my younger days of making sharewares, my way to find pirates was a lot
easier... If the serial had been stolen, I would crash the app after a few
hours of use, randomly, with a generic message but a very, very specific error
code.

Then I'd wait for the support emails to come in with people complaining about
that crash/error...

Typical how the pirate support requests were _always_ the most rude and
impolite :-)

~~~
dawnerd
Ea did something similar with the sims. Screen would slowly blur. You can’t
beat pirates but you sure can have fun with them.

------
tutts
"How do we know that FSLabs don’t use this, just because they say so?"

How do you know the main executable doesn't do the same thing? How is trusting
them not to run this .exe different from trusting them not to secretly
implement this functionality in the actual program?

~~~
yjftsjthsd-h
Well yeah. The appropriate reaction here is to assume that the company is
shipping malware in the product regardless of what particular format.

~~~
tutts
Sure, but what of significance has changed? Every time you run a program,
you're trusting the developer not to do nefarious things like reading your
Chrome credentials, because the only assurance you have is the developer's
word about what the program does. As far as I can tell, that hasn't changed at
all. I'm not saying this is okay - there are reasons why this is a bad thing
to do, I just don't see how no longer being able to trust the developer not to
be malicious is one of them.

~~~
yjftsjthsd-h
There is a difference between "developer could hypothetically do bad stuff"
and "developer has been caught doing bad stuff"

------
milesdyson_phd
Oh shit, I literally just bought one of their products for P3D...

Edit: FSLabs_A320X_P3D_v2.0.1.215.exe also has it present

~~~
maze-le
Hey, thanks for the info. I was just thinking about buying the A320 for FSX
the other day. I will refrain from installing any software from "Flight Sim
Labs" in the future, its kind of troubling to see this development. I mean it
is clear that you do not run just any old software you found on some shady
corners on the internet, but this is a big vendor, with a lots of sales, a
certain name and a community. How the hell can this happen?

------
sibbl
Please don't see Fiddler as a Wireshark replacement. If Fiddler doesn't show a
network request, the tool might simply not use the Fiddler proxy...

------
originalsimba
What they've done is a crime.

Trying to fight piracy by using evil and criminal methods is the wrong
approach. There's an old saying "Two wrongs don't make a right".

------
45h34jh53k4j
Unfortunately, the moment a company has distributed malware intentionally,
they are totally written off. They will never be trustworthy to distribute
software again.

Never touch any program this company has released, there is a high risk of
malware.

~~~
45h34jh53k4j
Lefteris Kalamaras is not to be trusted. His organisation knowingly
distributed malware in a legitimate software installer provided by his
company.

------
GCU-Empiricist
I wonder what their legal department told them about this idea. I can't
imagine any well briefed copyright lawyer concurring with this.

~~~
filesystem
My thoughts exactly. This is so unbelievably bone-headed.

I want to believe that this was slipped in by a small rogue group within FSL,
and that its not something everyone approved of...

~~~
fyfy18
LinkedIn only has 3 people who are listed at working at this company [0], so
I'd assume it's a small indie shop without a legal department.

[0]
[https://www.linkedin.com/search/results/index/?keywords=Flig...](https://www.linkedin.com/search/results/index/?keywords=Flight%20Sim%20Labs%2C%20Ltd).

~~~
GCU-Empiricist
It still baffles me. You can't stay even moderately up to date on technology
news, without knowing that initiating a security breach, even on someone who
has stolen your product, will still be criminal.

~~~
ikeboy
Just have the user agreement state that if you pirate it, you allow them to
exfiltrate all data on your system.

~~~
jnbiche
Yeah, not sure if you're being sarcastic, but if not: the law doesn't work
like that. You can't annul a criminal statute simply by including a clause in
your EULA.

~~~
ikeboy
If someone signs a contract allowing you to do something you're generally
allowed to do the thing, with exceptions.

Dropbox uploads data from your computer on to their servers, which would be
illegal had you not agreed to that as part of signing up and installing the
software.

~~~
maze-le
The difference is that Dropbox is only allowed to access those files I tell it
to. If the Dropbox client would start crawling my filesystem for
'password.txt' or 'banking-tan.list' this would be illegal, no matter what
clause is written in the EULA.

~~~
ikeboy
On what basis are you differentiating between agreeing to something that
allows then to access your stuff, and "telling it" to access them?

------
kseifried
This now has the identifier: [http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2018-7259)

------
exabrial
The passwords aren't protected somehow from copying?

~~~
lima
Not on Windows, but on Linux it's encrypted with your account password (it
uses the Gnome Keyring/KDE Wallet APIs).

But none of that is going to help against an attacker with the same
permissions.

~~~
Someone1234
If that's the case that's a choice Google made. Windows via the
CryptProtectData API[0] allows you to protect data via the user's session just
like the Gnome Keyring/KDE Wallet.

But as you pointed out, another process with the same privileges can decrypt
it making it pretty pointless in both cases. Only way to securely do it is to
prompt the user for a decryption key each time they open the browser which has
usability issues but Firefox offers it via the Master Password functionality.

[0] [https://msdn.microsoft.com/en-
us/library/windows/desktop/aa3...](https://msdn.microsoft.com/en-
us/library/windows/desktop/aa380261\(v=vs.85\).aspx)

~~~
exabrial
So Windows doesn't have an equivalent of OSX Keychain, where an item can have
a per-application ACL? [or I have misunderstood the OSX Keychain]

~~~
HHad3
Correct, Windows does not have per-application identities that could be used
with a keychain service. Furthermore, every application in your Windows
session (unless sandboxed) has access to virtual memory of other applications
in the same session.

On macOS, applications address spaces are isolated and code signing
certificates are used for identifying application requests to the keychain.

------
stevemk14ebr
Someone sue them please

