FlightSimLabs Alleged Malware Analysis
medium.comI thought I’d share this here to spread more attention to the practices of FlightSimLabs, a flight simulator software shop.
The short version is that they included an executable in their installer that when run would extract passwords saved in Chrome and presumably phone them home. Their reasoning was that this was purely for DRM reasons. They claim that this password stealing tool would not run for legit/valid serial keys.
This was only discovered by someone on reddit recently, and since this has been public the developers have claimed they’ve removed the password stealing malware from their installer. They have again made statements saying that this tool was only used against pirated copies of their software. Not once have they apologized and their users for the most part don’t seem to care.
> They have again made statements saying that this tool was only used against pirated copies of their software.
That's quite a claim. But it wouldn't matter if they did apologize. No apology would take away the malware or cause this publisher to have not used the secrecy of proprietary software (and the implicit trust all of their users had in the publisher) to not do what they did.
Too bad for the users who obtained copies (regardless of how) that this claim is utterly unverifiable and ultimately up to the dictates of an organization that already misrepresented its aim to its users -- I'll bet that people who got a copy thought they were getting a flight simulator, not a credentials copier. There's no reason to trust that they're not lying now. And what if FlightSimLabs (or some organization they trust to hold data) inadvertently leaked sensitive information? That's the trouble with trusting organizations to hold sensitive data; they can end up contributing to harm even if they don't intend to do so, or do so accidentally purely by way of making bad decisions about whether to hold the data in the first place and also by bad design of where and how to store the sensitive data.
Proprietary software hides malware (see https://www.gnu.org/proprietary/proprietary.html for lots of examples), users deserve software freedom (the freedom to run, inspect, modify, and share published software), and users deserve to control their own computers. And this DRM was indiscriminate (as most DRM is): it was installed on all users of the affected program, including on the copies distributed in the manner FlightSimLabs wanted.
So basically "you broke the law, so we'll break the law"?
Unfortunately, this sort of attitude is not unheard of among proprietary software vendors - see for example FTDI bricking your hardware if they think it's counterfeit:
And as a side effect to that story - I recently needed to purchase a USB to RS232 adapter to program a router and I went explicitly out of my way to make sure the adapter I purchased didn't use an FTDI chip.
FTDI is a name I won't be forgetting anytime soon.
Wouldn’t that be downright illegal? Moreover, someone bricking my hardware would inspire me to forcefully return said “brick” to them, through their nearest window.
Wouldn’t that be downright illegal? Moreover, someone breaking my windows would inspire me to forcefully discuss said behaviour with them, with their nearest brick.
Totally illegal, but while I would feel like tossing something through their window, I would never do it. If only this company had as much of a moral compass!
> FTDI bricking your hardware if they think it's counterfeit
It's not quite the same thing. Their driver does things that work with the original hardware.
If a different chip uses the same USB ID, they're asking for trouble.
(of course good faith is unlikely in this case)
Actually, it’s “we suspect you may have broken the law, so we’ll break the law.” A distinction no one seems to be hammering on, but that I think makes what they did much, much worse.
Not even sure if users broke the law. Just using a 3rd party cracked software doesn't necessarily violate laws (at least no criminal offence). The distributors and crackers clearly violated laws but any user with a cracked serial number was targeted. That also included people who might've received the number against payment from someone else and thought they had a genuine copy.
I never understood the point of DRM.
"10 extremely determined people want to steal my intellectual property! I'll go miles out of my way to design this in such a way that 1,000 people have a crappy experience to slow down the 10 people who want to be pirates!"
Vendor makes a shitty product
Pirates find a workaround, pirate shitty product anyway
Vendor makes shitty product even shittier for all 1,000 people to agin try to stop the same 10 determined pirates
There is a different philosophy of DRM, maybe less well-known because it doesn't tend to produce newsworthy examples, that says that the goal is to provide just enough of a nudge toward paying for the product that you're not operating completely on the honor system.
Under this approach, you really only want to make pirating the software just a little bit less convenient than paying for the software for most users. Because most potential pirates aren't determined attackers, they're just regular folks who are every bit as lazy and strapped for time as everyone else, and therefore won't bother to spend a few minutes keying in credit card information if they don't have to.
It's sort of analogous to turnstiles at train stations. Virtually anyone can go around or under them if they want to, but that's not the point. The point is that hopping a turnstile is just a bit more of a hassle than fishing your transit card out of your purse. Just enough more that most people would rather do that.
> The point is that hopping a turnstile is just a bit more of a hassle than fishing your transit card out of your purse. Just enough more that most people would rather do that.
I don't think it's even that it's more hassle, it's just a reminder of how things are meant to work. Most people will do the right thing voluntarily once their attention's been brought to it. Sort of like the courtesy lock on a bathroom stall - it's not to physically prevent entry, it's just to indicate that entry would be impolite.
I wouldn't say that's necessarily true with software. Most of the time with software if I'm looking into pirating something it's because I want it. I don't need it, and therefore the cost is unjustified. Usually I try to go the open-source route, but let's talk hypothetically here. There is a commercial product that I want, but don't need.
I'm never going to buy it. Even if pirating it is unsuccessful, I'll just go a different route. So trying to prevent me from pirating the software isn't protecting profits. It's not persuading me to purchase anything. It's persuading me to look for a free alternative or a competing product. It's taking away it's own market share by pushing me away. I always laughed at Microsoft's efforts to combat pirates. From their perspective any machine running Windows, pirated or legit, is worth more to Microsoft than that same machine NOT running Windows, NOT supporting the Windows ecosystem, and supporting the competition instead. Even if they have to give the product away for free.
If there's a product I need, or a product I need to have licensed for business reasons, I will buy it regardless of whether or not I can pirate it easily or not.
So, at least for me, pirating something is less a question of whether or not I can get away with it than it is a factor of what I find that functionality to be worth. If a $100 piece of software is too much for me I'll pirate it or go somewhere else, but I'll never buy it.
Conversely, if the vendor saved themselves the development time and skipped the DRM to drop the price down to $75 I might consider buying it, even though I could easily pirate it.
It comes down to value. Just because a vendor wants to make $100/unit doesn't mean their product is worth $100/unit, and it doesn't mean I'll ever pay $100/unit. If another product can do the same task for $50/unit that's likely the route I'll take.
The silliest part of this is pirates usually get to enjoy a better product because of their actions.
For example, the unskippable piracy warnings on DVDs.
And more recently with uhd. Those disks were supposed to be “uncrackable”. Well thanks to some older uhd drives pirates now have full disk rips and as far as I know they’re not even breaking encryption.
Oh, the irony is palpable.
Not only that: they end up enabling the pirates because the pirates are then able to provide the potential users of the product with a major reason for breaking the social contract (and the law): a much better user experience than the original.
Back when I was buying DRM-infested games on disc (lately I don't do AAA crap because it's boring, so the only DRM i have to deal with is Steam), the first thing before even unpacking the discs was to download the nocd crack.
Those pirates provide a good service to the legitimate owners as well ;)
I'm not a big fan of DRM and don't want to defend it, but your description is a bit incomplete.
Those 10 determined people/pirates go off and put the cracked software (or the serials) up for download for the "not so determined" pirates who just want to download a cracked version (or serial) that works. Those don't have the skills (and willpower) to do the work needed to crack software.
Those, however, aren't 10 people: the ratio of cracker to "not so determined pirate" is an important part of the puzzle. Perhaps 1000 people will get the cracked version. I don't know, but the 1-to-many relationship is quite obvious from a distribution system such as BT or Mega.
I'm not trying to justify DRM (and certainly not what these guys have been up to), but your presentation makes it look like measures such as these are trying to fight a super-minority of folks (ie 10 out of 1000, or about 1%), when reality is most likely very different.
I have an app on the Mac App Store (I won't spam you with the download link since it's irrelevant to the discussion and I'm not here to fish for downloads) with analytics that report that many "purchase attempts" fail with a strange error (ie not a cancellation by the user, not a problem reaching servers, etc), and I have no other choice but to imagine that these are from people who are trying to pirate my app. And it's nowhere near a 1% fraction.
In my previous company, we'd have server side verification of receipts (per Apple rules), and about an hour after we'd release our software, we'd see a torrent of verification failures in our logs.
Software piracy is quite widespread and is an issue that we shouldn't gloss over. Still, I wouldn't condone what these guys seem to have been doing.
As a side comment on style, you could have made your point without saying "Vendor makes a shitty product" as there is no need to denigrate products that vendors make in such a generalized manner. You'll be taken more seriously if you can adopt a more balanced stance.
I’ve pirated apps before buying to make sure I’d like them and they work. It’s surprising how many apps don’t have trials or trials that are not so limited you don’t get an idea how it works. This is really true for Mac AppStore apps.
I've heard this rationalization before, but I doubt it's a widespread practice in the pirates' world. Look, people are selling their soul to get "free products" (think about all the use cases where you are the product when using all the nice "free services"). Free is awesome. We're used to free. We demand free. We get offended when some app asks for $1.99 (I exaggerate for style of course, but as someone who has an app on the Mac AppStore, this comment has a reason rooted in reality - and for the record my app is Free while you try it and you pay to unlock it so you can customize it).
It's an interesting rationalization for an illegal activity, but you are not forced to go down the path of illegality by pirating a software you want to try. You can ask the author for a trial version, and if that leads nowhere, you can just skip this software. Not happy with the terms of the deal? Don't take the deal! The author would be wise to have a trial option, but doesn't owe it to anyone.
Personal anecdote time: when I was much younger I wanted to buy an exotic car and the dealer didn't offer test drives (understandably). I'm not sure it would feel acceptable to anyone if I had snuck into the dealership at night and took the car out for a spin around the block and put it back after an hour just to "test it out". I realize many flaws can be pointed out in my analogy easily, but the point is that one can get away with "illegal software test drive" because it's software and one would never think of doing it with hardware, because the risks of getting caught (and their consequences) are too high when we deal with tangible assets vs sitting home downloading cracks or serialz.
I think there are a few main kinds of reasoning behind DRM (non-exclusive, more then one could be involved in any specific case). One is psychological, one is pure greed and generally not explicitly acknowledged, but the last is potentially reasonable in specific situations.
The first essentially boils down to the well studied psychological phenomena of Loss Aversion, which is what you refer to and purely emotional, the feeling of "someone is TAKING my work!" It has been very well studied that humans in general have a strong natural tendency to prefer to avoid losses vs thinking about gains, and in fact the psychological power of losses can be vastly more (2x+) vs gains. This phenomena is used extensively in marketing and other areas involving behavioral economics. It is not usually logical, and particularly not in the case of IP infringement where the emotional response fails to consider both that there is no actual loss and that IP itself is not a natural construct and imposes societal costs. Nevertheless, it's definitely powerful and it fuels some of the emotional outrage many honestly feel at infringement, even if it's not merely illogical but outright economically self-destructive (they spend more on DRM and cause more pain to legitimate customers and in turn drive them away then they ever get back).
A second, purely greed one, comes down to controlling power. A lot of big publishers/organizations in particular saw (and still see) DRM as a way to extract far more money and rent seeking through extreme personalized spatial and temporal slicing of IP licenses. Basically, a much more extreme version of what the music and movie industries saw with the various format transitions (tape to CD to online, VHS/DVD/Blu-ray/online). Those were enormously lucrative since they could simply take existing IP and repackage it and sell it all over again, repeatedly. Their golden vision for DRM was payments not just for formats but everything. A different fee to play in each car, in each player, per units of time, every new bit of hardware, etc. Fundamentally DRM represents arbitrary control beyond the bounds of law, and that control can be used for a lot more then merely preventing infringement. Fortunately this vision was at least partially thwarted, but it'll be an eternal battle as lots of money will always be on the table here.
The third most arguably legitimate use is an extremely time-limited-then-eliminated application for the kinds of major entertainment IPs that experience extreme reverse J-curve demand patterns. Ie., a majority of total lifetime demand may come in the first few days/weeks/months before exponential falloff and a move into low long tail territory. This can simultaneously represent the time when costs are highest too, due to factors like simultaneous online resource demands and (in the case of video games) ongoing development work/support engagement. For movies and video games your numbers (10 vs 1000) are backwards or worse, an enormous number of people will pirate if it's convenient enough. But these are very low effort, casual pirates, not dedicated ones, and they also are time pressured. They aren't fundamentally unwilling to pay for whatever it is either if they have to because they want it right then to be part of the cultural zeitgeist and experience the social networking at its peak period.
In this last situation, limited time DRM can be a practical choice in some cases. If it's cheap enough it only needs to last a month or two, or even just a few weeks, to generate significant economic return. Then it can be completely removed for the long tail as the entertainment IP gets into sale territory, which may bring in some more people who care and eliminate ongoing support costs as well as ensuring that all existing owners will not experience problems as the publisher attention winds down.
Of course, getting rid of it there promptly is key and something that publishers too often ignore (or they're actually looking towards #2, and hoping to monetize it in other ways with the aid of ongoing control). In principle though this is relatively innocuous, since the biggest practical problem with DRM is in the longer term. If for example it was mandated by law that all DRM had to be removed within 6-12 months of an IP launch it wouldn't be ideal and there'd still be moral concerns and arguments but it might be a practical compromise too given the realities of human psychology.
Regarding the end of your post, you apparently make the point that, for a game, if a DRM is not cracked just after the release (let's say 1 to 2 months), the sales of those would be higher than the sales of games which are available at release?
The problem is that the recent examples of games not being cracked on release (like the latest Tomb Raider) does not fit with your reasoning, since they did not have sales number above the norm.
In my younger days of making sharewares, my way to find pirates was a lot easier... If the serial had been stolen, I would crash the app after a few hours of use, randomly, with a generic message but a very, very specific error code.
Then I'd wait for the support emails to come in with people complaining about that crash/error...
Typical how the pirate support requests were always the most rude and impolite :-)
Ea did something similar with the sims. Screen would slowly blur. You can’t beat pirates but you sure can have fun with them.
"How do we know that FSLabs don’t use this, just because they say so?"
How do you know the main executable doesn't do the same thing? How is trusting them not to run this .exe different from trusting them not to secretly implement this functionality in the actual program?
Well yeah. The appropriate reaction here is to assume that the company is shipping malware in the product regardless of what particular format.
Sure, but what of significance has changed? Every time you run a program, you're trusting the developer not to do nefarious things like reading your Chrome credentials, because the only assurance you have is the developer's word about what the program does. As far as I can tell, that hasn't changed at all. I'm not saying this is okay - there are reasons why this is a bad thing to do, I just don't see how no longer being able to trust the developer not to be malicious is one of them.
There is a difference between "developer could hypothetically do bad stuff" and "developer has been caught doing bad stuff"
Once they ship malware in any one form, anything else from a developer is eternally suspect. Even if they don't do something like this in their apps' main executables _now_ doesn't mean they won't in the future.
Once a company pulls shit like this, they are dead to me, and they should be dead to everyone else as well.
Oh shit, I literally just bought one of their products for P3D...
Edit: FSLabs_A320X_P3D_v2.0.1.215.exe also has it present
Hey, thanks for the info. I was just thinking about buying the A320 for FSX the other day. I will refrain from installing any software from "Flight Sim Labs" in the future, its kind of troubling to see this development. I mean it is clear that you do not run just any old software you found on some shady corners on the internet, but this is a big vendor, with a lots of sales, a certain name and a community. How the hell can this happen?
Please don't see Fiddler as a Wireshark replacement. If Fiddler doesn't show a network request, the tool might simply not use the Fiddler proxy...
What they've done is a crime.
Trying to fight piracy by using evil and criminal methods is the wrong approach. There's an old saying "Two wrongs don't make a right".
Unfortunately, the moment a company has distributed malware intentionally, they are totally written off. They will never be trustworthy to distribute software again.
Never touch any program this company has released, there is a high risk of malware.
Lefteris Kalamaras is not to be trusted. His organisation knowingly distributed malware in a legitimate software installer provided by his company.
I wonder what their legal department told them about this idea. I can't imagine any well briefed copyright lawyer concurring with this.
My thoughts exactly. This is so unbelievably bone-headed.
I want to believe that this was slipped in by a small rogue group within FSL, and that its not something everyone approved of...
LinkedIn only has 3 people who are listed at working at this company [0], so I'd assume it's a small indie shop without a legal department.
[0] https://www.linkedin.com/search/results/index/?keywords=Flig....
It still baffles me. You can't stay even moderately up to date on technology news, without knowing that initiating a security breach, even on someone who has stolen your product, will still be criminal.
Just have the user agreement state that if you pirate it, you allow them to exfiltrate all data on your system.
Yeah, not sure if you're being sarcastic, but if not: the law doesn't work like that. You can't annul a criminal statute simply by including a clause in your EULA.
If someone signs a contract allowing you to do something you're generally allowed to do the thing, with exceptions.
Dropbox uploads data from your computer on to their servers, which would be illegal had you not agreed to that as part of signing up and installing the software.
The difference is that Dropbox is only allowed to access those files I tell it to. If the Dropbox client would start crawling my filesystem for 'password.txt' or 'banking-tan.list' this would be illegal, no matter what clause is written in the EULA.
On what basis are you differentiating between agreeing to something that allows then to access your stuff, and "telling it" to access them?
So you're suggesting that the FlightSim EULA laid out exactly what the installer was doing, and asked permission to exfiltrate your passwords if the registration key didn't match? I very much doubt that, and I'm skeptical it would be legal even if so.
It's unquestionably illegal to do it on the down-low, like FlightSim has done. It's malware, nothing less, nothing more.
>So you're suggesting that the FlightSim EULA laid out exactly what the installer was doing, and asked permission to exfiltrate your passwords if the registration key didn't match?
No, I'm suggesting they should add a clause saying that they have the right to access and upload anything on your computer if it's being pirated.
I never said anything about the current EULA and haven't looked at it.
This now has the identifier: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7259
The passwords aren't protected somehow from copying?
On Windows they are protected with DPAPI, so you won't be able to decrypt them without having access to the user account that "owns" the passwords.
Of course, this helps you very little when the malware is running under your user account and uses DPAPI calls to decrypt the passwords.
Not on Windows, but on Linux it's encrypted with your account password (it uses the Gnome Keyring/KDE Wallet APIs).
But none of that is going to help against an attacker with the same permissions.
If that's the case that's a choice Google made. Windows via the CryptProtectData API[0] allows you to protect data via the user's session just like the Gnome Keyring/KDE Wallet.
But as you pointed out, another process with the same privileges can decrypt it making it pretty pointless in both cases. Only way to securely do it is to prompt the user for a decryption key each time they open the browser which has usability issues but Firefox offers it via the Master Password functionality.
[0] https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...
So Windows doesn't have an equivalent of OSX Keychain, where an item can have a per-application ACL? [or I have misunderstood the OSX Keychain]
Correct, Windows does not have per-application identities that could be used with a keychain service. Furthermore, every application in your Windows session (unless sandboxed) has access to virtual memory of other applications in the same session.
On macOS, applications address spaces are isolated and code signing certificates are used for identifying application requests to the keychain.
selinux can help in some of these situations (not saying it will necessarily in this case). Generally speaking, the browser context is not allowed to read user private data like ssh keys. However, since the browser context in this case needs to read passwords, it doesn't apply 1:1. You probably need a different context from the general browser context that can read password data.
Not usually, though perhaps if you've added a master password? It's the same reason why if you install a new browser it generally allows you to import bookmarks, passwords, and probably other stuff from an old browser.
Someone sue them please