FSLabs Flight Simulation Labs Dropping Malware to Combat Piracy? Is this DRM gone mad?

Introduction

This morning, Fidus’ Penetration Testing team stumbled upon some troubling posts on Reddit accusing FSLabs of bundling a Google Chrome password stealer into their flagship flight simulator product in order to ‘combat piracy’. Yep, it’s as crazy as it sounds.

First thoughts on the matter raises numerous questions:

1. What legal boundaries is this pushing, if not directly breaking the law?
2. How is the data being sent to FSLabs?
3. How is the data being secured and who has access to it?
4. What exactly are people’s usernames and passwords being used for?
5. What on earth were they thinking?!

FSLab’s first posted a comment with the following points:

1) First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by apirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with apirate serial number (not blacklisted numbers).

An update was posted by the company following the outcry on Reddit:

Hello all,

I would like to further address some of the controversy that has taken place this evening.

I want to reiterate and reaffirm that we as a company and as flight simmers would never do anything to knowingly violate the trust that you have placed in us by not only buying our products but supporting them and FlightSimLabs.

While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part. It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.

I want to thank you all for voicing your concerns in a considerate manner on our forums and elsewhere. We do listen to our customers because without you, there would be no FlightSimLabs.

Technical Analysis

Upon installing the application in question, a number of files are extracted into a temporary directory.

The most interesting of which is the test.exe file. Further digging into this file shows this file is the Chrome Password Dumping tool by SecurityXploded . The command line based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.

When uploaded to VirusTotal, the test.txt has less than favorable results – https://www.virustotal.com/#/file/60641eef00a7498a62ac7686e656dad6e8f700cb4803a8a149707b2c4a3a09c9/detection

Fidus also uncovered a very interesting comment made by the FSLabs team in October 2017 in relation to the test.txt file.

Another file instantly looks very appealing in the temp directory; base64.exe. One assumption to make is that credentials are dumped using the Chrome Password Dump tool and base64’d before being sent back to FSLabs.

Digging further after decompiling we get provided a 55MB .bin file which is used within the setup application. Running strings on the .bin file yields the followin shows us the following:

1. Test.exe (Password dumper) is called.
2. It is output to Log.txt
3. Base64.exe is called to encode the Log.txt file.
4. The Base64 encoded log file is sent over HTTP.. that’s right.. HTTP. Note the LogHandler3.ashx

This appears to be application flow IF a fraudulent serial is used.

\\

Here is the application flow if a legitimate serial is detected:

Whilst a lot of information is provided, it does not include any references to the password dumping tool. We can conclude the password dumping tool (test.exe) is only called when a fraudulent serial is used.

Serious Issues

There are a handful of serious issues at play here:

1. What is the legality of this?
2. Why is data being sent over HTTP and only being encoded with B64?
3. How secure is the data being stored? – The server running the log collection domain also has RDP open to the internet..

Whilst we fully understand the importance of DRM and combating piracy, it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it.