You wouldn't download a plane. Or else...

Simcident Report: That Time FSLabs Shipped Actual Malware to Paying Customers

Welcome to Simcident Report, where we take a closer look at the people, events, and drama that shaped the flight sim hobby.

This is the story of how a well-regarded developer of add-on aircraft sullied their reputation with the brilliant idea to ship malware with their product in the name of tracking down pirates. How did this happen? Let’s begin by taking a brief look at the world of flight sim add-ons.

A Brief History of Flight Sim Add-Ons

In the early 1980s flight simulators came to home PC users with the release of Sublogic’s Flight Simulator, the game that would later become the basis for the popular Microsoft Flight Simulator series. By the mid-90s, thanks to scenery and aircraft design tools included with the game, a cottage industry of add-on developers sprung up to provide all kinds of modifications to the base Flight Simulator. Microsoft supported these add-on developers with updated tools and even advised flight sim users to look for high-quality “payware” add-ons for the game to improve their experience.

Today, all of the major flight simulators on the market such as X-Plane, P3D, and Microsoft Flight Simulator (2020) all feature a wide array of both freeware and payware add-ons to choose from, often with entire studios and teams of developers supporting them. For many, sticking to freeware is good enough. For others though, payware is seen as offering a higher level of experience well worth the price of admission.

It’s not uncommon for serious flight sim fans to sink hundreds if not thousands of dollars into add-ons to improve their sim experience. The high prices of payware add-ons are generally accepted within the flight sim community. After all, developing a high-quality add-on takes hundreds of man hours and ultimately the end product is an extremely niche one.

However, not everyone is happy to pay upwards of $100 for a single virtual aircraft, which is why piracy of flight sim payware add-ons remains a big problem for developers.  So, over the years, these developers have come up with some… let’s say “creative” solutions to the problem of piracy.

Controversy – Now Boarding

In February of 2018, fans of the Airbus A320X flocked to download the latest release of the plane from FSLabs, a well-regarded developer of payware add-ons for the flight sim P3D. However, in a since-deleted post, one Reddit user noticed something strange about the nearly $100 plane. The poster noted that the installer for FSLabs A320X included a file called “test.exe” that kept triggering alerts on his anti-virus software. The official word from FSLabs was vague and simply instructed users to temporarily disable their anti-virus during installation as the warning was a false positive.

But the poster kept digging. He found that test.exe was a program called “Chrome Password Dump” by a company named Security XPloded which is advertised as a tool for security researchers and penetration testers. The program would dump a user’s auto-fill usernames and passwords from Google Chrome to a text file. It was subsequently found that the FSLabs installer would take this file, save it as a log file, encode it, and send it completely unencrypted to FSLab’s servers.

Naturally, users expressed concern that FSLabs was stealing user password information or perhaps had been compromised itself. The thread gained significant traction and eventually prompted a response from FSLabs founder and lead Lefteris Kalamaras.

Hello all,

We were made aware there is a reddit thread started tonight regarding our latest installer and how a tool is included in it, that indescriminantly dumps Chrome passwords. That is not correct information – in fact, the reddit thread was posted by a person who is not our customer and has somehow obtained our installer without purchasing.

I’d like to shed some light on what is actually going on.

  1. First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.
  2. There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.
  3. If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. “Test.exe” is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).

This method has already successfully provided information that we’re going to use in our ongoing legal battles against such criminals.

We will be happy to provide further information to ensure that no customer feels threatened by our security measures – we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer.

Kind regards, Lefteris

FSLabs’ official response only served to fan the flames of the angry Reddit users and owners of the A320X. Not only was the inclusion of malware intentional but somehow it was supposed to stop piracy? Commenters rightfully pointed out, that regardless of the intentions when this executable was included in the installer, they had knowingly distributed malware, active or not, to paying customers which is completely illegal in pretty much every jurisdiction. Things only got worse when FSLabs admitted that they had included this program in every copy of the installer with the intention of identifying one particular pirate.

Read also:  Simcident Report: Massacre at Meigs Field - The Ill-Fated Fight to Save Flight Sim’s Most Famous Airport

Expected Turbulence

Reddit posts and comments flooded gaming and flight sim subreddits calling FSLabs out for their shady practices. Distributing malware to all of your customers in the hopes of catching one pirate seemed akin to randomly firing a gun into a room and hoping you hit your target. Even after assurances from FSLabs that the “DRM” would only target pirates, people were rightfully concerned that some mistake or bug could lead to the tool activating accidentally or even that someone could breach the server where FSLabs was keeping the stolen passwords.

Threads and comments popped up highlighting the history of shady behaviour from FSLabs and Kalamaras.

Read also:  Boundless Details New Dublin Update and New Projects for X-Plane

Incredibly, this wasn’t even the first time Kalamaras had been accused of including malware in a flight sim add-on. In 2014, while working on the PDMG McDonnell-Douglas MD-11, Kalamaras allegedly included code in the update tool that would delete a user’s flight sim install if it detected a pirated copy of the plane. In this instance, users of the AVSIM forum reacted with ridicule against OP, saying he shouldn’t have pirated the plane and gotten what he deserved. However, other users reported that the MD-11 had corrupted their installation despite owning legitimate copies of the plane.

Other commentators pointed out that, ironically for a company so concerned about piracy, FSLabs had been accused of lifting parts of its A320 cockpit from a different plane by developer Aerosoft.

At least one user claimed to have had their banking info stolen following buying the FSLabs A320X, though there is no direct evidence this is related.

The backlash against FSLabs was growing and the story started to gain some attention from more mainstream gaming outlets such as PC World and Kotaku. FSLabs responded by releasing an updated malware-free installer and offering refunds. In an official statement, no apology was offered and no wrongdoing was admitted.

While the majority of our customers understand that the fight against piracy is a difficult and ongoing battle that sometimes requires drastic measures, we realize that a few of you were uncomfortable with this particular method which might be considered to be a bit heavy handed on our part. It is for this reason we have uploaded an updated installer that does not include the DRM check file in question.

While after some additional backlash, FSLabs would eventually issue a real apology, not all of their fans were happy. Grumblings of lawsuits against FSLabs were had but nothing came of any of these efforts. In spite of FSLabs clearly being in violation of the law they faced no legal action of any kind.

It happened AGAIN?

After a while, the story died down. Then in June, another Reddit post titled “cmdhost.exe, what is it?” appeared. It seemed FSLabs was at it again. Users reported that the FSLabs installer left a file called cmdhost.exe in their Windows system directories.

Why would FSLabs need to install system-level files? Once again users on FSLabs forums began reporting issues with their flight sim startup being stopped by anti-virus software. One user reached out to his anti-virus company Hitman Pro who confirmed that FSLabs cmdhost.exe was using a technique called process hollowing, where basically one program is started, frozen mid-execution, and then is replaced in memory by a second program. It’s a technique often used by malware to hide from users while pretending to be a legitimate program.

FSLabs was quick to explain that the process was part of their e-commerce partner’s activation system. Again, more DRM. This time there wasn’t an obvious sign of the process being malware, but for users who had already been burned once by FSLabs, this second incident was the final straw. While it was easy enough for FSLabs to silence criticism on their own forum, Reddit was another matter. So they did what any logical internet-minded company caught engaging in shady behaviour would do…

Read also:  Aerosoft Further Showcase The A330's EFB for MSFS

Double down and threaten legal action against your user base!

Send in The Lawyers

Shortly after the newest allegations of malware began to roll in, the moderators of r/flightsim posted An open letter to Flight Sim Labs. In this letter, they posted emails from FSLabs in which the FSLabs PR manager “gently reminded” the mod team that Reddit had a legal obligation to remove libelous comments defaming FSLabs and if the mods didn’t comply with FSLabs demands they would be forced to send in lawyers.

The response from the mod team called out FSLabs for saying they “welcomed robust and fair comment and opinion” while engaging in censorship in their own forum and on Reddit. They also highlighted that legally there was nothing that FSLabs could do as the user statements did not constitute libel under the laws of the United States where Reddit was based nor the UK where FSLabs was based. Finally, they accused FSLabs of engaging in vote manipulation and astroturfing.

Not content with going after just Reddit, FSLabs had apparently also reached out to flight sim news site FSElite. In a statement posted by FSElite, they outlined that FSLabs had reached out to them and demanded that they remove comments on their article on the FSLabs controversy that they deemed libellous. When FSElite refused to censor their users, FSLabs demanded that FSElite hand over the personal information of the users who had left the comments so that they themselves could inform the users of their dubious legal liability. FSElite refused this request, as well as a request by the developer to join them in their battle against Reddit. Subsequently, FSElite blacklisted FSLabs from their reviews and editorials until such a time that they could earn the trust of the community back. 

Once again, after mainstream sites such as Ars Technica picked up the story, FSLabs was forced to back down with Kalamaras stating that they had never intended to launch legal action against the Reddit mods and supported free speech and discussion of their products. FSLabs’s PR manager once again issued an apology.

The Trust of The Community

In the end, despite all of the threats, media coverage, and angry emails and Reddit posts, nobody was sued and nobody was charged with any crimes.

But FSLabs’ reputation has never fully recovered. Nearly every thread on r/flightsim that mentions FSLabs has some reference or joke related to malware, and new players are continually warned about the shady history of the company.

On the other hand though… even throughout the whole scandal, nobody could deny the quality of FSLabs add-ons, and many still hold the developer in high regard for producing high-quality products… you just need to look past their history…

Does anyone remember back in 2015 when Valve and Bethesda sparked an internet firestorm by adding paid mods to Skyrim’s Steam Workshop? How people argued there’d be limited accountability, things would be overpriced, piracy would be a problem, and there was no guarantee developers would support their mods?

Yea. Flight simulator fans have been dealing with that for about 30 years.

Comment Policy

In order to ensure friendly environment for everyone, we outlined a few simple rules that need to be followed when participating in discussions in the comment section under each post. It's nothing complicated: keep the comments English, avoid vulgarisms, offensive language, abusive behaviour, creating or participating in arguments, trolling, or self-promotion.