Flight simulator dev: Sorry for installing password-stealing tool on your PC

Developer embeds Chrome password dump tool in official installer to combat pirates.
Written by Liam Tung, Contributing Writer

Video: Meltdown-Spectre attack variants discovered

The developer of a flight-simulator add-on package has apologized to users for including a Chrome password dump tool in an official installer as part of a bungled attempt to combat pirates.

Over the weekend FlightSimLabs, or FSLabs, was accused of distributing malware, after Reddit user crankyrecursion discovered that the official FSLabs A320-X add-on installer included a suspicious filed called 'test.exe', which turned out to be a Chrome password dump tool.

"Using file 'FSLabs_A320X_P3D_v2.0.1.231.exe' there seems to be a file called 'test.exe' included," wrote crankyrecursion.

"This .exe file is from http://securityxploded.com and is touted as a Chrome password dump tool, which seems to work -- particularly as the installer would typically run with administrative rights (UAC prompts) on Windows Vista and above. Can anyone shed light on why this tool is included in a supposedly trusted installer?"

The answer is digital rights management. FSLabs founder Lefteris Kalamaras responded to the ensuing outrage in a post on its user forum explaining that the hidden tool was part of its anti-piracy efforts and claimed it had no impact on customers who purchased its products.

As UK security firm Fidus notes, this file is flagged on VirusTotal as malicious by numerous antivirus products.

"First of all -- there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe," wrote Kalamaras.

"There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites."

Kalamaras explained that its installer checks whether a user types in a serial number it has previously identified as pirated. The Chrome password dump tool is only extracted if the serial number matches one in its database.

According to Kalamaras, it was designed to only target specific crackers who were bypassing its DRM system with offline serial-number generators. It decided to use the Chrome password dumping tool after linking certain IP addresses that used Chrome to visit its site.

The intent was to capture that one user's credentials, he said. However, the installer did temporarily extract the tool on non-targeted systems but then would remove the tool during the installation.

"Test.exe is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally," Kalamaras wrote.

"That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers)."

Regardless of FSLabs' intent, the company did expose its users to malware and could have handled the pirates in a different way, argues Andrew Mabbitt, founder of Fidus.

"Their statement is more a personal justification of what they've done, and they're not comprehending what exactly they just did. The fact is they dropped malware on [potentially] thousands of machines, secretly, in an attempt to gather information on a single target," Mabbitt told ZDNet in an email.

"Regardless if the target in question was pirated copies of the game or not, dumping their Chrome usernames/passwords and siphoning them off, insecurely too, to servers under their control is incomprehensible.

"They've noted they knew what serials the pirate was using. Surely, the logical next step was simply to blacklist those serials and prevent them from being used."

However, FSLabs' Kalamaras said there were safeguards to protect others from potential privacy issues. But he also admitted its approach to DRM was "overly heavy-handed" and has released a new installer without the password dumping tool.

"We have already replaced the installer in question and can only promise you that we will do everything in our power to rectify the issue with those who feel offended, as well as never use any such heavy-handed approach in the future. Once again, we humbly apologize."

Previous and related coverage

This Android malware mimics Uber to steal your login and password

The FakeApp trojan has returned with new tricks to stop users noticing they've been duped.

Espionage malware snoops for passwords, mines bitcoin on the side

Operation PZChao targets US and Asian organisations with cyber-attacks reminiscent of Iron Tiger -- but this time with the ability to drop trojans, conduct espionage, and mine bitcoin.

Huawei in cybersecurity pledge: 'We're not Chinese spies'

Chinese telecoms maker Huawei has issued a report pledging to never co-operate with spying or espionage, refuting claims that it may have links to the Chinese government.

Editorial standards