A flight sim company who put malware in one of their jets now say they were only after one person, in an attempt to downplay how many users were affected by what they described as “DRM”. As we reported yesterday, Flight Sim Labs normally sell planes to players of Flight Simulator X, but they recently included a malicious file called ‘test.exe’ in an installer for a popular airbus (you might have seen it if you’ve flown with EasyJet). The malware was designed to dump usernames and passwords saved in the Chrome browser. When this was discovered, the head of the company said the malware was targeted at pirates. It only ‘activated’ if the person installing the plane was using a pirated key to do so, he said. But they now claim they were using the clandestine .exe file to target a single, specific person.

The head of the company, Lefteris Kalamaras, made a post to the Flight Sim Lab forums, admitting again that the dodgy file was embedded in the installer. As in previous posts, he refers to the malware as “DRM” – digital rights management. He then goes into more depth about what they did and why.

First he explains what would happen if you were a “genuine” user running the installer for the airplane:

“As soon as the user entered their customer information (order ID / serial number / email) it verified this against our server database. Genuine customers and any other legitimate serial numbers trigger a full proper installation and no tool was called / used to figure out any pirate info. The installer that temporarily extracted the tool would remove it as part of its normal cleanup operation upon proper installation completion.”

Finally, he zones in on their reasoning for including this “tool” at all – to find the people who were cracking their airplane add-ons and distributing keys online for free (for context, this particular aircraft normally costs $100).

“…there were specific crackers who were successful in sidetracking our protection system by using offline serial number generators. We could not find how this would happen, but we happened upon a particular set of information (username / email / serial number) that would occur recurrently from specific IP addresses. We tried to add more tests in our subsequent installer releases, but the specific crackers were also upping their game in ensuring they sidetracked our installer. We even went so far as to figure out exactly who the cracker was (we have his name available upon request of any authorities), but unfortunately we could not be able to enter the registration-only web sites he was using to provide this information to other pirates.”

And from here, it just gets more and more Netrunner.

“We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers so we decided to capture his information directly – and ONLY his information (obviously, we understand now that people got very upset about this – we’re very sorry once again!) as we had a very good idea of what serial number the cracker used in his efforts.”

In other words, they began to put malicious software into their airplanes in an attempt to catch some pirates. But the focus shifted, according to Kalamaras, to keeping track of a single cracker.

The post goes on to say they intended to send all the collected information about this cracker to the “proper legal authorities”. Although it neglects to address the legality of installing malware on the computers of innocent users in the first place, nor the legality of harvesting usernames and passwords from anyone, whether they are a pirate or not.

This continues to be a grubby story. The whole shebang has been dissected by Fidus Infosec, an information security firm who made a post attempting to answer five pertinent questions:

What legal boundaries is this pushing, if not directly breaking the law? How is the data being sent to FSLabs? How is the data being secured and who has access to it? What exactly are people’s usernames and passwords being used for? What on earth were they thinking?!

They confirmed that the file ‘test.exe’ was indeed malicious, and that it was designed to “extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format”. But through their testing they also concluded that “the password dumping tool (test.exe) is only called when a fraudulent serial is used” just as Flight Sim Labs attest.

However, the infosec folks also found that any captured information was being sent back to the servers of Flight Sim Labs in a badly encoded format (in Base64 – the encryption equivalent of wrapping a confidential memo in a few obscuring layers of cling film). They also questioned the security of the servers themselves, and summarised their thoughts like this:

“Whilst we fully understand the importance of DRM and combating piracy, it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it.”

There are still unanswered questions. How many people – pirate or otherwise – have had their usernames and passwords taken by the malware? What has happened to those usernames/passwords? And how many people used the dirty installer legitimately, thus briefly hosting malware? We’ve emailed Flight Sim Labs with these questions and more, and will let you know if we get a response. But don’t hold your breath.