Empresa creadora de "Add-Ons" para simuladores de vuelo inyecta malware a sus usuarios

FranciscoCL

FranciscoCL

-_-
Se incorporó
4 Marzo 2005
Mensajes
7.780
OK, el título es para llamar la atención, pero si se analiza en detalle el tema se puede decir que eso es lo que está pasando, pese a que ellos lo nieguen.

Se trata de la empresa Flight Simulation Labs (FSL), que desarrolla add-ons que puedes adquirir para simuladores de vuelo. Resulta que en su software venía asociado un tipo de "DRM" (según ellos) que es capaz de obtener los passwords usados en Chrome y enviárselos. Alguien se dio cuenta de ello y abrió un tema en Reddit y estalló el asunto. La empresa se ha defendido indicando que las medidas se activan únicamente cuando el software detecta que se está usando un serial que ellos ya han identificado como pirata, lo que ya les ha permitido "obtener información que será usada en batallas legales contra esos criminales" (los que usan el software pirata). Es decir, no negaron la existencia del software o desconocimiento de su aplicación.

El tema es que el sofware (que es identificado como malware por cerca del 50% de los antivirus, según "Virus Total") se instala en todos los usuarios, piratas o no, sin su consentimiento. Y ahora se debe "confiar" en esta misma empresa de que "sólo será usado contra los piratas". Por otro lado, según algunos posteos de Reddit y similares (el tema ya se extendió) una evidencia obtenida de esta manera lo más probablemente es que no sea admitida en un tribunal, así que tampoco se ve algo muy efectivo por ese lado.

La empresa ha tratado de apagar el incendio, emitiendo comunicados públicos y ahora último actualizando el software para que venga "limpio" sin el dichoso DRM. Pero parece que el futuro se les viene oscuro.

Adjunto las declaraciones y un post de un usuario, pero en los link hay más info:

Primer comunicado:
1) First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).
Haz clic para expandir...

Segundo comunicado:

Hello all,

I would like to further address some of the controversy that has taken place this evening.

I want to reiterate and reaffirm that we as a company and as flight simmers would never do anything to knowingly violate the trust that you have placed in us by not only buying our products but supporting them and FlightSimLabs.

While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part. It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.

I want to thank you all for voicing your concerns in a considerate manner on our forums and elsewhere. We do listen to our customers because without you, there would be no FlightSimLabs.
Haz clic para expandir...


Un posteo de un usuario:
I work in InfoSec for a large company as a Security Architect I am involved with Incident Response

First, this is illegal in many countries and states. They cannot distribute malware knowingly.

Second, for the misguided who are buying the line that it is only pirated serial numbers that are affected. Every system that downloaded and ran the file should now be considered compromised. At my company, if this was done, those systems would be isolated, investigated and reimaged.

Nobody can guarantee how the malware behaves that they installed. It very well could have left a ghost somewhere or when it is used could send the data via means the company could not detect. I seriously doubt they would look at DNS exfil or even know what it is.

There is also the possibility some developer of another program dropped malware and stole your license number and now your copy is blacklisted.

The data they exfiled is PII and there are lots of issues with taking it off a system. Was it transmitted in the clear? How are they storing the stolen data they pulled? What if they are compromised? How are they using the data? Have they shared the data? If so, how did they transmit the data and how is it stored?

There are legal issues as well. They acknowledged they stole PII from users. This is illegal. Any data obtained through those methods are also not admissible in court. They are also open to being fined by, at the very least, the EU and the UK.

For those legitimate users who say they have nothing to hide or worry about. You should be extremely worried. This company has done something very unethical and illegal. When they were caught doing it, they denied it initially, then they said they did it to fight piracy and, Oh, trust them, they don't execute it on legitimate customers. The issue with that is they already ruined that trust by putting malware on your system. You cannot trust this company when they say they do not run test.exe on legitimate copies.

If you have had this installer executed on your system, it is my professional opinion you should reimage your system and change any passwords stored in Chrome. Also, use a password manager and do not store passwords in Chrome.

Edit: More on the company trust. Keep in mind what they did is very unethical and illegal. In the coming weeks, they will be doing and saying anything to save their company. They are going to be assailed on multiple fronts with various agencies, Attorneys General, countries, and individuals investigating, prosecuting, and/or litigating.

Edit2: This has blown up, as it should, but if you read the posts on the forums for FSL that they did not delete, the lack of awareness is absurd. Also, the data was exfiled with unencrypted transmission and the data was not encrypted either. To make matters worse, the target server is not behind a firewall and has RDP open to the world.
Haz clic para expandir...


Links:
https://www.fidusinfosec.com/fslabs-flight-simulation-labs-dropping-malware-to-combat-piracy/
http://www.guru3d.com/news-story/flightsimlabs-injected-viral-like-drm-into-its-distribution.html
 
Pepo

Pepo

Gold Member
Se incorporó
27 Octubre 2009
Mensajes
2.128
Claro, depurando el programa y lanzarlo sin el malware creen que se la van a llevar limpia.

Ya quedó la cagada, totalmente no ético e ilegal. Más encima por lo que leo dicen que los datos se mandon sin cifrar, el servidor de destino no está protegido por un firewall y está con escritorio remoto abierto para cualquiera :sconf
 
You must log in or register to reply here.
Subir