Download.Com Caught Adding Malware to Nmap & Other Software


Summary

CNET’s Download.Com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, adware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.Com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn’t resort to unethical monetization schemes like adding spyware and other malware to their downloads.

Unfortunately, those people were wrong. In August 2011, Download.com started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default “decline” button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.

While it is common for internet criminals to infect software installers in this way, we never expected it from a previously-reputable site like Download.Com. Especially given their “Download.com Adware & Spyware Notice” which currently still says:

“In your letters, user reviews, and polls, you told us bundled adware was unacceptable–no matter how harmless it might be. We want you to know what you’re getting when you download from CNET Download.com, and no other download site can promise that.”

and …
“every time you download software from Download.com, you can trust that we’ve tested it and found it to be adware-free.”
It is unbelievable and reprehensible that they can make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute! Here is an example from an installer screen added by CNET Download.Com which (if the user isn’t vigilant enough to catch the small print I’ve circled below and press the decline button) will infect their machine:

It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.Com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com’s fault for infecting the installers! So while Download.Com takes the payment for exploiting their user’s trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET.

They’re even using the trojan for children’s software such as the Kea Coloring Book! Have they no shame?

The Nmap Connection

The Nmap Security Scanner is a free and open source utility used by millions of people for network discovery, administration, inventory, and security auditing. It was developed by Gordon Lyon (A.K.A. Fyodor) in 1997 and he has been working to improve it ever since. Nmap has always been distributed free of charge without adware or malware of any kind, so you can imagine how upset Fyodor was when he found out that Download.Com was betraying his user’s trust by adding malware to the Nmap installer. Particularly because Download.Com makes it look like users are getting the real Nmap installer, and they even put the trademarked Nmap name next to the “special offer” which infects user’s machines (see the screen shot above). He verified the problem and sent a strongly worded warning to Nmap users worldwide. That post also includes screen shots of the infection screen and virus scanner results showing that many anti-virus scanners already recognize and flag the CNET-provided malware.

News Reports

Fyodor’s original post went viral, spread by many angry users who were betrayed by Download.com’s false promises of clean downloads. Here are some reasonably detailed (or with many comments) English articles:

The Register: Cnet slammed for wrapping Nmap downloads with cruddy toolbar
Network World: CNET Accused of Wrapping Malware in Windows Installer for Nmap Security Tool
Sophos Naked Security: Popular network tool Nmap in CNET security brouhaha
Krebs On Security: Download.com Bundling Toolbars, Trojans?
Heise Online: Download.com accused of wrapping nmap in a “trojan installer”
The Inquirer: Cnet is accused of bundling malware with downloads
Reddit: Download.com is now bundling Nmap with malware!
Slashdot: Download.com Bundling Adware With Free Software
Linux Weekly News: C|Net Download.Com accused of bundling Nmap with malware
Hacker News: CNet’s Download.com now bundling Nmap with malware
Geek.com: Nmap warns Download.com bundles malware with its software
Tom’s Guide: CNET Accused of Bundling Software Downloads with Trojans
Examiner.Com: Download.com’s wrapper installers delivering malware with software
ITWire: Cnet’s Download.com is bundling malware with Nmap
SANS Internet Storm Center: C|Net download.com serving malware with nmap software
Wireshark blog: Used Cars and Stub Installers
EasyBCD: Open Letter to CNet
Updates

Here are some updates from Fyodor since this Brouhaha started with his initial December 5 email:
Dec 6: Microsoft contacted me to say:

“We saw the message you sent to the nmap-hackers mailing list a few days ago. Thanks for spotting this—we were unaware of the bundling issue you identified. It does appear CNET bundled the search services of one of our distribution partners with other software. In the meantime, our partner has suspended operations with CNET until this issue has been remedied.”
This is probably why CNET switched to installing the Babylon Toolbar yesterday. This is a good and welcome move by Microsoft, but the whole process of paying “distribution partners” to change a user’s home page to MSN and search engine to Bing is rather sketchy. At a minimum, this distribution partner should be terminated. Creating a great search engine is a better way to attract users to Bing.
Dec 6: The adware pushed by Download.com has changed again. Now the installer is promoting the CNET’s own “TechTracker” software. Either they are doing this (rather than the more egregious malware they were installing earlier) to lie low while the heat dies down, or they’ve become so toxic that even sketchy toolbar vendords won’t deal with them. But if CNET isn’t stopped, the malware vendors will come crawling back soon enough and CNET will be there to receive them.

Dec 6: I had a fruitful discussion with lawyers for the Electronic Frontier Foundation, who are well know for defending user’s rights in the digital realm.

Dec 6: Sometime last night, Download.Com quietly replaced their rogue Nmap installer with a link to the official Nmap installer. While I’m glad they have currently removed the trojan installer for Nmap, they need to remove it for all of the software. Not just those of us who cause enough bad press to shame them into it. Here are is some popular software that still has the trojan download enabled: Kea Coloring Book (children’s software), Need for Speed Underground 2 (game), and Age of Empires II: The Age of Kings (game).

Dec 5: The rogue installer uses your internet connection to decide what malware to install. It has now started installing the Babylon Toolbar rather than the Microsoft Bing stuff.

Dec 5: Gerald Combs, project leader for the popular Wireshark protocol analyzer, sent a cease-and-desist letter to CNET and they removed the rogue installer (only for his software). He’s the one who notified Fyodor about this rogue CNET behavior in the first place.

Goal and Demand of this page

After all the bad press, CNET has (at least for now) removed the trojan installer for Nmap. But they could bring it back at any time, and they still infect thousands of other software packages.

My demand is that CNET stop doing this for ALL of the software they distribute, not just those who are able to generate enough bad PR for them.

If Download.Com doesn’t stop, I plan to continue spreading the word about their reprehensible behavior. You can help by linking to and sharing this page, contacting anyone you know at CNET or Download.Com, and of course never using or recommending Download.Com to anyone! There are many superior alternatives, including FileHippo, NiNite, and Softpedia. Of course you can download apps from their official sites too!

Infection Mechanism

The way it works is that CNET’s Nmap download page (screen shot) offers what they claim to be Nmap’s Windows installer. They even provide the correct file size for our official installer. But users actually get a CNET-created trojan installer. That program first communicates over the user’s internet connection to decide what sort of adware/spyware/malware to “offer” for installation. The first screen of the rogue installer just claims that the software “is virus and spyware free” and has the user click the big green button to continue. The next screen (screenshot1, shot2) is the tricky one. If they click on the green button again this time, it will (in these two examples) change their home page, redirect their search queries, and install a sketchy and hard-to-remove browser toolbar.

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

Credit to: http://insecure.org/