Flight Simulator expansion installed password-stealing malware as DRM

There have been some pretty heavy-handed DRM schemes cooked up over the years, but off the top of my head I can't think of any sketchier than the one built into FSLabs' A320-X expansion for Microsoft Flight Simulator X. As noted recently on Reddit, the installer includes a "Chrome Password Dump" tool that can be used to surreptitiously swipe usernames and passwords. It's the sort of thing that sounds like it has to be a mistake, but FSLabs founder Lefteris Kalamaras confirmed in the company's forums that it's meant to be there. 

Kalamaras denied that the software "indiscriminately" dumps Chrome passwords, saying that "there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products." He explained that it's actually being used to alert the company when the expansion is installed using serial numbers known to be pirated. 

"'Test.exe' is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product," he wrote. "The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers)." 

That assessment was largely confirmed in an analysis by cybersecurity firm Fidus Information Security. "Whilst a lot of information is provided, it does not include any references to the password dumping tool," it wrote. "We can conclude the password dumping tool (test.exe) is only called when a fraudulent serial is used." 

Nonetheless, Fidus pointed out a few "serious issues" involved in the scheme, including questions about the security of stored data, why the information is being sent over HTTP when it's only encoded with B64, and of course whether or not it's actually legal to do this in the first place. 

"The inclusion of a malware, in the form of a password dumper, in a trusted installer for the sake of combating piracy is absolute insanity," Andrew Mabbitt, founder of Fidus Information Security, told Motherboard. "When run, the program extracts all saved usernames and passwords from the Chrome browser and appears to send them to FSLabs. This is by far one of the most extreme, and bizarre, methods of Digital Rights Management (DRM) we've ever seen." 

Kalamaras said FSLabs would be happy to provide more information about the system to anyone who wants it, and added that it has already provided information that will be used in legal action against pirates. Nonetheless, the studio has now released an updated installer without the malware component, although Kalamaras insisted in a followup statement that there was nothing untoward about its presence. 

"While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part," he wrote. "It is for this reason we have uploaded an updated installer that does not include the DRM check file in question." 

The clean installer is available here.