CNET [Download.com] Accused of Wrapping Malware in Windows Installer

LazyLion

King of de Jungle
Joined
Mar 17, 2005
Messages
103,693
http://www.networkworld.com/communi...-malware-windows-installer-nmap-security-tool

CNet is tangled in allegations of wrapping bloatware, malware and Trojans in the Windows Installer for free programs available at CNet Download. Gordon Lyon, better known as Fyodor, announced on Seclists that C|Net Download.Com is now bundling Nmap with malware!

Some in the security community are currently ticked, at least disgusted, in regard to the pen-testing Network Mapping tool Nmap after Gordon Lyon, better known as Fyodor, announced on Seclists that C|Net Download.Com is now bundling Nmap with malware!

Fyodor alerted users that the Windows Installer for Nmap and other Open Source programs like VLC wraps bloatware, malware, and Trojans in otherwise legitimate and free software. According the #5 on CNet's Download.com forum discussion, the CNET installer changes were made to "improve security and reliability of downloads." Users trust CNet downloads, claiming more than 2.5 million daily downloads, and most won't take the time to opt-out before the installer loads junk on their box.

Fyodor, the creator of Nmap, wrote:

Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shena****ns the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer in action. Note how they use our registered "Nmap" trademark in big letters right above the malware "special offer" as if we somehow endorsed or allowed this. Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright.

CNETinstaller4Nmap-in-action.gif


"CNet knows that there's something wrong with what they're doing, and they're trying to deceive developers and users," according the ExtremeTech. The installer allegedly does not spy on your computer, and can be completely removed by deleting the installer from the computer, but since "SAFE, TRUSTED, AND SPYWARE FREE" has been removed, I asked CNet and CBS Interactive how wrapping installers and the bundling of bloatware could possibly be construed as benefiting users or developers? No surprise there was no reply and also no surprise that the CNet wrapped installer version of Nmap is identified as malware by 10 of 42 scanners.

After numerous attempts to get a reply from CNetdownload.com editors, CBS Interactive, and even Microsoft, let's just open fire. Not only is wrapping installers an appalling idea, it's a horrible security practice. Furthermore, requiring users to opt-out instead of opt-in is also an extremely poor way handle privacy. Neither CNET Download.com editors nor CBS Interactive offered any comment to any of the allegations or to Fyodor's CFAA and copyright accusations. There was only the chirping of crickets in otherwise silence after asking them both "How is wrapping a a Trojan in the Nmap installer an improvement to security?"

The same bundled-with-crapware download happened to Wireshark, until the Wireshark open source director sent a cease and desist letter to CBS. Others discussing the Nmap issue on Seclists have suggested sending a DMCA takedown, getting download.com listed on StopBadware, and reporting the malware to get the site blacklisted on Google.

I'd like to echo Fyodor, "Also, shame on Microsoft for paying C|Net to trojan open source software!" When asked, Microsoft declined to offer any comment regarding Fyodor's claim that Microsoft is "paying C|Net to Trojan open source software." Sophos Naked Security also believes this is a "poor security practice" and "taking someone else's work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair."

According to the CNet Download.com Installer FAQ: "If you would like to opt out of the Download.com Installer you can submit a request to CNet-installer@cbsinteractive.com. All opt-out requests are carefully reviewed on a case-by-case basis."

You might want to steer clear of CNet's Download.com if you still don't have Nmap or any of the other top 125 tool listed on SecTools like a "Yelp for security tools." Meanwhile, if you know a great copyright attorney in the U.S., then Fyodor is looking for one.

After this was written, CNet sent this reply: "We value your comments and have forwarded them on to our managers. Our goal is to make CNET an easy to use, friendly and safe site that helps people find and learn about the latest tech and consumer electronics." Safe? Yeah right, bundling malware, crapware and Trojans in downloads is neither cool nor safe.

Microsoft Director of Bing, Bill Hankes replied as well.

Q: Can you see if Microsoft would like to offer any comment regarding Microsoft "paying C|Net to trojan open source software"?

A: “No. Microsoft partners with a distributor who provides Bing search services within their product. This product was downloaded through a separate partnership with CNET.”

“We recently became aware of a CNET software bundling issue involving search services from one of our distribution partners. In this case, it appears that CNET bundled the search services of one of our distribution partners with other software. We are working closely with our partner to help protect customers and in the meantime, our partner has suspended operations with CNET until this issue has been remedied,” wrote Bill Hankes, Director, Bing.

Thought this warning was relevant since many of have used Download.com in the past as a good source of freeware and a reliable Files mirror!
 

LEE COLIN

Active Member
Joined
Nov 1, 2010
Messages
65
yo! thats true man.. iv always suspected them of adware . such as bigseekpro ,babylon etc. its real hard to remove... have to clean it from your registry
 

Mr.CookieMonster

Expert Member
Joined
Sep 19, 2011
Messages
1,829
That is very true, the software from their site comes with its own installer and it asks you to install these shady toolbars, I HATE TOOLBARS i browse with only the needed.
 

Totempole

Expert Member
Joined
Sep 21, 2011
Messages
4,219
I NEVER use websites that require a "special" download application or "accelerator"
in order to obtain the file. I've downloaded lots of stuff from CNet, but never
touched their download app.

I NEVER install browser toolbars or plugins unless they're essential and well-known
i.e Flash, Sun Microsystems etc.

I ALWAYS make sure I OPT-OUT of any crapware included with applications
(Google Chrome included). (I know Google Chrome isn't crapware, but I hate it
almost as much as Internet Explorer).

If you see an advertising banner that interests you, DON'T EVER CLICK IT, go
DIRECTLY to the website associated with it. Yes I know clicking banners helps
websites generate revenue, but a lot of them are misleading, fake, or contain
malware of some sort.

And finally, if your Anti-virus blocks you from a website, there is a 99.9% chance
it's right. Don't ignore your Antivirus on the 0.1% chance that it's a false positive.

As far as I'm concerned the above should go without saying, yet some people don't
seem to think before they click.
 

Mephisto_Helix

Resident Postwhore
Joined
Jan 29, 2008
Messages
28,854
Download.com has been sketchy for ages. I haven't used them in years ...... glad it's being more closely inspected and brought out into the open.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,552
Why do people even use download.com? If I need software, I Google it, and go straight to the developers website and either download it directly from them (freeware, open source, trial version) or buy it outright, or head on over to bit torrent to find a cracked version that is well seeded and that has been verified by the community, and commented on for potential problems.
 

LazyLion

King of de Jungle
Joined
Mar 17, 2005
Messages
103,693
Why do people even use download.com? If I need software, I Google it, and go straight to the developers website and either download it directly from them (freeware, open source, trial version) or buy it outright, or head on over to bit torrent to find a cracked version that is well seeded and that has been verified by the community, and commented on for potential problems.

Agreed, but better to warn everyone possible.
 
Top