A company embedded password-stealing malware into an installer as part of its digital rights management (DRM) efforts to combat software pirates.
On 18 Sunday, Reddit user crankyrecursion spotted the malware hiding within Flight Sim Labs’ installer for its A320 flight simulator desktop software. A little digging on the user’s part revealed that the threat originates from an organization called SecurityXploded and functions as a Chrome password dumping tool. Concerned, he asked the Reddit community if someone could illuminate why a trusted installer contained the malware, perhaps out of concern that someone had compromised Flight Sim Labs’ installation processes.
After learning of the Reddit post, Flight Sim Labs chief Lefteris Kalamaras issued a statement in which he reveals the company itself had added test.exe to its installer for a specific purpose:
…. There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites. …If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally.
A follow-up statement by Kalamaras explains that Flight Sim Labs had incorporated the password dumping tool into its installer to target a specific group of crackers and pirates whom it had been attempting to stop for some time. The company learned a lot about those individuals through the utility, the statement admits. Flight Sim Labs intends to forward that information to legal authorities if it hasn’t already done so.
This is a Security Bloggers Network syndicated blog post authored by David Bisson. Read the original post at: The State of Security