Jump to content

Malware in installer?


Jon Skiffington

Recommended Posts

Florian Niklas
1 minute ago, NilsUnger said:

Yes, thanks to you now. But I am not quite getting it... What passwords?

According to the reddit post the "test.exe" file will dump your passwords from Google Chrome into a textfile or something. I checked it and my installation also contains that file (and of course my anti virus software instantly removed it).

I can't think of a good explanation why FSLabs should include such a file in their installer (regardless of the fact that it's illegal) and i'm very curious about the explanation from them.

  • Like 2
Link to comment

Gents,

before any false accusations are made. Lets just wait until someone from the staf or @Lefteris Kalamaras makes a post explaining what is actually going on ;) 

Edit: Love how people jump to conclusions before having all the information. How often have we seen Trump jump to conclusions and in the end things were not even close to what he stated them to be. 

My advise. Take it or leave it, it's up to everyone to make that decision. Go outside get some fresh air and enjoy the day. And if you are in Europe like me. Go and enjoy your warm bed :lol:

Edited by Lars Hajema
typo.. also some advise ;)
  • Like 1
Link to comment
Luca vom Bruch

The only valid explanation would be "the installer got compromised". 

Even a DRM story would be sketchy, because we cannot exclude that legit customer password output from that password extractor would be somehow remotely transmitted.

  • Like 1
Link to comment
3 minutes ago, Luca vom Bruch said:

The only valid explanation would be "the installer got compromised". 

Even a DRM story would be sketchy, because we cannot exclude that legit customer password output from that password extractor would be somehow remotely transmitted.

According to the Reddit post, it's been showing up in previous versions. Either eSeller or whomever is hosting the files has some god awful security or its packaged on release.

Link to comment

Guys, please just hold off the flaming pitchforks until someone from FSL can give their side of the tale. 

It’s Sunday evening and this was only discovered in the last hour or two. Let’s see. 

  • Like 3
Link to comment
Luca vom Bruch

Either way I would want proof that NO chrome passwords of LEGITIMATE customers is transmitted.

Even if legit customer password would never be abused, you cannot just store them anyway. Remember that some users might use the same password for paypal or e-banking. Even if they are software thieves you cannot just simply record this data for revenge/abuse/extortion.

But we shall wait for the explanation.

My guess is still compromised installer.

I know that FSLabs designed this excellent Bird with a lot of passion and hard work, I am sure they will make it right!

  • Like 11
Link to comment
Gregor Christie
Just now, Luca vom Bruch said:

Either way I would want proof that NO chrome passwords of LEGITIMATE customers is transmitted.

Even if legit customer password would never be abused, you cannot just store them anyway.

But we shall wait for the explanation.

My guess is still compromised installer.

Yup, I fat fingered the file and opened it while checking if it was present in my installer and I am just worried it does something with my passwords.

Link to comment
Joseph Messore

Luca, 

Regardless of whether the customer is legitimate or not, transmitting any passwords to anyone or anywhere is still illegal.

I don't yet have the FSL, went to buy it the other day and card got declined because of the delight that is my navigraph subscription. It'll be interesting to see the explanation, but not for one second do I believe that a reputable organisation that has created such a valued product for our community is at all capable of doing what I described above.

  • Like 3
Link to comment
4 minutes ago, Ben Weston said:

Guys, please just hold off the flaming pitchforks until someone from FSL can give their side of the tale. 

It’s Sunday evening and this was only discovered in the last hour or two. Let’s see. 

I'm struggling to find any reason that's reasonable enough to warrant a virus as a means of DRM.    Spin this however you like, but what they've done his highly unethical if not illegal.  I too would like to hear the reasoning, but they have a huge burden to prove that they had no malice.

You can't backdoor a virus as a means of DRM.  

  • Like 7
Link to comment
Luca vom Bruch
6 minutes ago, CaptainJosephHD said:

Luca, 

Regardless of whether the customer is legitimate or not, transmitting any passwords to anyone or anywhere is still illegal.

Totally agree!

You can't backdoor a virus as a means of DRM.  

Yes, it is somewhat dodgy that they would just advise to disable anti-virus if this is triggered.

Link to comment
David Norfolk

Chaps, 

lets keep the anger down until we know what’s going on. I understand how you’re all frustrated and demand answers however the only guys who can do that is the developers. Let’s hold tight & see what the response is.

  • Like 2
Link to comment
Scott Callaway
10 minutes ago, Ben Weston said:

Guys, please just hold off the flaming pitchforks until someone from FSL can give their side of the tale. 

It’s Sunday evening and this was only discovered in the last hour or two. Let’s see. 

I'm sorry, but there is no excuse to be putting malicious software onto a customers computer. Regardless of whether it's for DRM or not. There are other ways to prevent piracy than to include dangerous code with the installer.

  • Like 2
Link to comment

Wasn't the initial installer for the update pulled shortly after going live? is it the from that batch of installers or has everyone got it. How do you check i have no signs of a test.exe on my system or any virus in any  FSL folders 

Link to comment
13 minutes ago, Stephen F said:

Wasn't the initial installer for the update pulled shortly after going live? is it the from that batch of installers or has everyone got it. How do you check i have no signs of a test.exe on my system or any virus in any  FSL folders 

You would have to extract the .exe you downloaded, using one of the tools the Reddit thread mentioned in order to check.

Link to comment

I'm not too worried as our passwords would've been compromised for some time and we would've noticed it. However, if its true they are indeed compromised, there is absolutely no excuse. There better be a good explanation for this.

Link to comment
Florian Niklas
2 minutes ago, Stephen F said:

im no expert on this but i extracted the core  installer.exe file using 7-zip  and still nothing malicious 

You need to use something like http://innounp.sourceforge.net/ in order to extract the content of the installer correctly. 7Zip is not able to extract the"real" content - after that you'll find the file in the tmp folder.

Link to comment
Lefteris Kalamaras

Hello all,

we were made aware there is a reddit thread started tonight regarding our latest installer and how a tool is included in it, that indescriminantly dumps Chrome passwords. That is not correct information - in fact, the reddit thread was posted by a person who is not our customer and has somehow obtained our installer without purchasing.

I'd like to shed some light on what is actually going on.

1) First of all - there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products. We all realize that you put a lot of trust in our products and this would be contrary to what we believe.

2) There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites.

3) If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us. "Test.exe" is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number.

This method has already successfully provided information that we're using in our ongoing legal battles against such criminals.

We will be happy to provide further information to ensure that no customer feels threatened by our security measures - we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer.

Kind regards,

Lefteris

  • Like 3
  • Thanks 5
  • Sad 1
Link to comment
Tobias Gruber
2 minutes ago, Lefteris Kalamaras said:

 

We will be happy to provide further information to ensure that no customer feels threatened by our security measures - we assure you that there is nothing in our products that would ever damage the trust you have placed in our company by being our customer.

 

I mean, even having such a measure in such a way in place is pretty damaging as far as trust towards the company goes....this is worrying at best...no DRM is perfect after all, I'm concerned about possible what-if scenarios if a legit customer gets caught out by it....

I would also question the legality of this whole thing, but im not a lawyer so I wont make any accusations of course.

  • Like 1
Link to comment
Lefteris Kalamaras
Just now, Snappy0 said:

Sadly this is a massive privacy issue, even if it is being used for the right purposes assuming this is being installed on ALL PCs.

It's not being installed - only temporarily extracted (by the nature of the installer) and then removed as soon as the installer finishes. It is never used on legitimate customers, only on verified pirate serial numbers.

  • Thanks 1
Link to comment
G€offr€y F€rnand€z

Snappy0, you'll have to change to your real name, you know?

"That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number. "

Link to comment

The fact that malicious software, whether executed or not, is being put on our computers (or extracted then removed) is an absolute huge breach of privacy. An installer that harvests user passwords, no less. There has to be something illegal about this.

This is like trying to find who robbed your house by subsequently breaking into their house to find out who they are.

DRM or not, this is absolutely unacceptable from any legitimate company. I am appalled.

  • Like 9
  • Thanks 1
Link to comment
Riccardo Masia
1 minute ago, Lefteris Kalamaras said:

It's not being installed - only temporarily extracted (by the nature of the installer) and then removed as soon as the installer finishes. It is never used on legitimate customers, only on verified pirate serial numbers.

But even so, do you guys have any legal grounds to obtain passwords from users that are trying to install pirated software?

  • Like 4
Link to comment
  • Lefteris Kalamaras locked this topic
Guest
This topic is now closed to further replies.
×
×
  • Create New...