FlightSimLabs Alleged Malware Analysis

UPDATE: Two updates can be found at the bottom of this article revealing the findings from Fidus InfoSec and FSLabs’ response to the situation.

On Sunday 18th February 2018, a Reddit post appeared claiming that the FSLabs A320 installer included a Google Chrome password extraction tool.

This came as a concern to paying FlightSimLabs customers, wondering whether or not these allegations were true.

‘crankyrecursion’ made the discovery that a file called ‘test.exe’ was extracted onto the end users’ computer upon running the FSLabs A320 installation .exe. Running this file results in the Chrome login file being automatically located, and the usernames and passwords are dumped into a console screen:

Photo credit to crankyrecursion

I extracted the installer myself and can confirm that test.exe file is located with a temporary folder ({tmp}) when extracted with the innounp extraction tool.

Okay, FSLabs have my Chrome passwords now. Not exactly. According to Lefteris Kalamaras, this file is not executed provided that you are a paying customer, hinting that this is an anti piracy measure.

Whats the problem?
The problem lies with the fact that ‘test.exe’, malware, is extracted and placed onto the end users system without their consent. The file is in no doubt classified as malware, as it has malicious intent to gather all usernames and passwords within Google Chrome.

But this only affects pirates, right? 
This isn’t my point. The point is that when a piece of malware is placed onto a system, with the user not being aware of the fact, and having paid $150+ for the privilege. How do we know that FSLabs don’t use this, just because they say so? Oh they also ask you to kindly turn off your anti virus before installing. I wonder why. This is a violation of software ethics, and more than likely illegal. If I could be bothered I would do the legal research, but that’s also not my point.

To recap, malware is being placed onto a users system during the extraction phase after the execution of the installer .exe. This is my problem.

Lefteris’ statement can be found here.

What is it that annoyed me so much about FSLabs’ response?

“1) First of all — there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.”

First of all, there is a tool to reveal sensitive information (website credentials are classed as personal data) of customers who legitimately purchased FSLabs’ products, as the file to do this is placed onto the end users system at the point of execution (I’m repeating myself, aren’t I? You need to understand this point). This is an outright lie. Okay, maybe it isn’t used but it is still there to be exploited.

“2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.”

Piracy is wrong, yes. But is collecting pirates’ usernames and passwords through the use of malware really going to be admissible in court? I strongly doubt it.

“”Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally.”

I do not care who it is targeted against. The file is on MY system before I even enter my serial key. The simple act of malware being there is not okay.
How do we know that none of the FSLabs AOC services use the .exe and package it off elsewhere? Running the file in Fiddler showed that no network connections were made, which is nice. At this moment in time I’m unable to test if any malicious connections occur with the FSLabs software but at this stage with it claimed to being an anti piracy measure, I doubt it is.

“This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals.”

Really? I hope whoever it is has a good lawyer. Fighting fire with fire is not necessarily the best way to go about it, jeopardising the integrity of your own company and paying customers’ support, but I can see how there is the anger there to pursue pirates.

“We will be happy to provide further information to ensure that no customer feels threatened by our security measures — we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer.”

I would urge FSLabs’ to take a look at the test.exe file, and ask themselves, is this okay to put onto the systems of all our customers? The placement of malware whilst asking them to turn off their anti virus software, and hope they believe we’re legitimate? I believe any self respecting developer would agree with me that this act is vehemently unacceptable. All I ask is for FSLabs to rethink their anti piracy strategy, and remove the step of malware being placed onto customers’ systems. Nothing more, nothing less. Do I expect FSLabs to listen? No, but I hope this gives people an insight into the issues surrounding this, and accepting malware on your computer just because somebody says ‘Trust me’ is not okay.

UPDATE 19/02/2018 1200z

The latest announcement states that a new installer has been released without the test.exe file. I am not sure what other action could have been taken by FSLabs, so this is good news. I do enjoy their products, and I am satisfied by this response, but it is important to note that this method of tackling with piracy is not the correct way to do it. As long as this lesson has been learned, then I have nothing more to add and will continue to use FSLabs’ products, on the basis that this kind of behaviour is never done again. Some people would argue that they will never use FSLabs again and have lost trust as a result of this scenario.

UPDATE 19/02/2018 2100z

Fidus InfoSec were able to conduct a technical analysis and revealed that a 55MB .bin file is used during the installation. A ‘strings’ search reveals that if a fraudulent/illegal serial key is used:

  • test.exe is invoked
  • The output (usernames and passwords) is dumped to a file called log.txt
  • The additional base64.exe in the tmp directory encodes the log.txt file
  • The encoded data is sent using HTTP to a LogHandler3.ashx endpoint
Fraudulent serial invocation. Photo credit to Fidus InfoSec

If a legitimate key is used:

  • test.exe is NOT invoked
  • Your usernames and passwords are not retrieved or processed by FSLabs
Legitimate serial flow. Photo credit to Fidus InfoSec

Now obviously there are legal issues with the placement of the file on customers’ systems, and the acquisition of pirates’ usernames and passwords, however the primary concern of what the application does and how it is used has been addressed and resolved at this stage.

UPDATE 19/02/2018 2211z

An actual thought out response has been provided by FSLabs, explaining exactly how they used the tool and who it was executed against. This article was mostly written on a whim to express my thoughts, and somehow blew up.


Fidus InfoSec: Technical Analysis
National Security Database: CVE-2018–7259
Bleeping Computer
Rock, Papers, Shotgun