CNET Accused of Bundling Software Downloads with Trojans
A software wrapper used by CNET supposedly tricks users into installing toolbars and Trojans instead of the actual hosted program.
Gordon "Fyodor" Lyon is the creator and maintainer of the widely-used network auditing and penetration-testing tool called Nmap. It's a handy tool for administrators that can spot services that shouldn't be running, locate rogue PCs and servers, identify firewalls on the network and more. You would think that having a download mirror like CNET would bring a significant load of traffic to Lyon's software.
Well it has, just not in a good way.
According to the developer, CNET's Download.com repository has bundled his free software with Trojans and shady toolbars without his consent. Security firm Sophos backs up the claims and explains that it's encased in a software wrapper -- aka the Download.com Installer which was introduced back in July -- that tricks the potential customer into installing the Babylon Toolbar. To do this, the wrapper pops up a dialog headlined "Nmap" with a bright green default "Accept" button. But accepting only means CNET visitors accept the "special offer" of the toolbar instead... accepting the installation of Nmap comes later.
"The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer," Lyon reports. " Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!"
"Taking someone else's work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair," Sophos added in a blog. "Getting people into the habit of installing software in an unofficial way from an unofficial source is poor security practice."
According to CNET, visitors can actually opt-out of the Download.com Installer by submitting a request to this email address. All opt-out requests are supposedly "carefully reviewed on a case-by-case basis."
The good news is that CNET's proprietary software is only available on some downloads -- customers who don't want to use the downloader can use the target software’s HTTP download URL to bypass it. The bad news is that security companies McAfee, Panda, F-Secure and seven others have determined the executable to be malware. Eight went so far as to label it as an actual Trojan.
"We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be CNET's Download.com, which is owned by CBS!" Lyon said. "And we never thought Microsoft would be sponsoring this activity!"
CNET has reportedly offered Lyon to opt out of the Download.com Installer program, but Fyodor doesn't plan to stop there. Because CNET's software uses Nmap's trademark and copy text, he may choose to take legal action over a possible trademark violation.
"In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright," he added. "This is exactly why Nmap isn't under the plain GPL. Our license specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements."
As of this writing, CNET and parent company CBS has not commented on the malware and copyright allegations.
- MIPS to Make Ice Cream Sandwich Tablet Priced Below $100
- 10B Android Market Downloads Celebrated With $0.10 Sale
- WSJ: Galaxy Nexus to Sell for $299.99 on 2-year Contract
- Sen. Al Franken Seeking Carrier IQ Answers from Carriers
- New .XXX Domains Finally on General Sale
- Sony Ericsson Dropping Ericsson Name in 2012
- Asus' 2012 Padfone will Pack Nvidia's Quad-core Tegra 3
- Siri Ported to iPhone 4, iPod touch (But Potentially Unsafe)
- Syria Bans the iPhone to Silence Citizen Journalists
- NASA's Kepler Telescope Good at Finding Extrasolar Planets
- RIM Executives Fired Over Drunken Antics on Flight
- Facebook's New Address is '1 Hacker Way'
- Navy Preparing Underwater Drones, Could Find Red October
- Computer Scientists Discover How to Simulate Rainbows
- Motorola Confirms Droid Xyboard Tablets Coming This Month
- Galaxy Nexus Launches in Canada With Sheepdogs Support
- Verizon Launching Streaming Video Netflix Competitor
- OnLive Finally Arrives on Tablets and Smartphones
- Facebook Flaw Revealed Zuckerberg's Private Photos


MS involved... The media would go hard on MS as they did with Sony and the PSN issue? I don't think so.
Well it remains to be seen how much is MS involved , but the "tool"bar is there for a while now , it has been annoying and this counterproductive for a while now . Many other sites practice this including Brothersoft and a few others. I am personaly against it i just find it vexing that it took people this long to do something about it.
PS: even the F#%^@ DirectX installer comes with a pre-aproved Bing tool bar. Google must be killing Bing , GOOD.
I clicked the link feeling skeptical, but after reading the article, that's pretty f'ed up, and I hope CNET pays for it.
They used to give you direct links to the downloads, now they have you download some weird installer to get the download.
That's why I always download from the author/dev's site if possible.
Actually, it may be safer to download software from torrent trackers nowadays.
I HATE Cnet's new downloading tool.
It's STUPID.
I mean, at my college the internet is blocked for certain things, and they blocked Cnet because of that new download tool which was tricking people at the college into downloading and installing toolbars and PUP's on the workstations.
Cnet is a turn off now. For me anyway.. I almost never download from there.
I hope Nmap takes CNet to the cleaners on this one. That's willful wrongdoing.
I feel so Violated :-(
I don't understand: "The bad news is that security companies McAfee, Panda, F-Secure and seven others have determined the executable to be malware. Eight went so far as to label it as an actual Trojan."
Given what the CNET wrapper includes that's not bad news, it's excellent news, and an indication that those companies are doing their job regardless of the source.
Hopefully NMap can win in court and prevent CNet from continuing to use their product as a lure for CNet Malware....
major bummer!
I stopped downloading from CNET months ago. I am expecting CNET in the future to realize that they are NOT the only site in the Internet where you can download free or trial software. The question is are we going to care about CNET in the future? From experience I think not. I know that Idon't. Today!
Stopped using CNET a long time ago. I don't use them much anymore. So many other BETTER places to download.
i download from softpedia, problem cnet!
Who uses CNET anyway? I don't remember I ever downloaded something clean from their site, my NOD32 always finds a problem.
Hey Gordon "Fyodor" Lyon, thanks for caring enough about this to go to the mattresses for us and/or for your program. -Thanks
Downloading anything from Adobe.com quickly can get you a McAfee Toolbar and downloading the Java installer gets you an Ask.com toolbar... makes me sick!"Tooljacking" is what I call it!
As an IT mgr. for a midsized business I've just completed sending this message below to CNET's website.
I encourage all in positions of influence within their businesses to prevent their users from accessing a deceptive business that will do anything to make a buck.
"After reading of your companies deceptive download practices and investigating these claims myself, I have determined CNET is no-longer a valid trustworthy company.
From this day on ALL traffic from my company to anything affiliated with CNET will be blocked. No exceptions. The public trust we had is now broken due to your marketing dept. and managements actions. The other parts of your business model are also blocked because a company willing to so easily deceive is capable of anything.
I've used my personal email account to notify you because of the obvious legal claims I'm making represent my opinion and not those of my company. Since I'm the head of IT the decision has been made, we are no-longer using any of your sites due to possible abuse. This is a permanent ban because only the free markets denial of patronage has any affect in these cases.
I hope you all find new/better jobs soon.
Thank You"
I've been using C-Net's Download.com for over 15 years, I'll stop using it if this doesn't get cleaned up.
The problem with these damn things is the average user doesn't notice the hidden check boxes or doesn't understand certain installation steps, so they next through stuff. Then they bring it to a local computer shop wondering why internet explorer is so slow. You open it up, and literally 70 percent of the screen is toolbars -- I've seen this before and it's sickening. Guarantee these people didn't know they were getting a single one. Sure, user's should be more careful, but we really shouldn't have to be when downloading from sites who already have a good source of income from other advertising.
Search toolbars are obsolete. If they just switched my default search provider to bing I wouldn't really care. But when you take up my screeen with your toolbars you just piss me off
Well, no more CNET for me.
Actually, it may be safer to download software from torrent trackers nowadays.
only from trusted/VIP uploaders on public torrent sites (such as PirateBay) or from a private tracker....I wouldn't download anything from an unverified source as they can take software from a trusted source and add a Trojan or other malware.
I clicked the link feeling skeptical, but after reading the article, that's pretty f'ed up, and I hope CNET pays for it.
Same here. I have ALWAYS trusted CNET 100% of the time when I download... Guess I'll find somewhere else!
Very disapointing CNET....
I HATE Cnet's new downloading tool.It's STUPID.I mean, at my college the internet is blocked for certain things, and they blocked Cnet because of that new download tool which was tricking people at the college into downloading and installing toolbars and PUP's on the workstations.Cnet is a turn off now. For me anyway.. I almost never download from there.
I hate the new installer. Was turned off by it when I first installed a program and popped up. Since then, I hardly download anything, and very rarely anything from CNET. What a shame.
I have used CNet's Download service for years... about 10 years actually. It was trusted not to have infected files no BS... And yeah, a few months ago - I notices that when you CLICKED to download a program... you'd get a 200K installer. Which is bull.... not going to do it.
Now, CNET does offer people to download JUST the actual files by creating an account.
I just use Ninite.com when I can, I trust it more than CNET.
PS: Since I'm no longer using CNET's download to get programs, I'm also not seeing and reading their articles or reviews.
So what IDIOT came up with this? The same ones who work for AMD?
What other sites do people search and download for tools use besides CNET?
Most software companies offer their free for personal use on their own websites. Sometimes you have to look around for it, e.g., AVG. Try googling the software you are seeking, then choose the ones with the manufacturer's name in the domain to find the free version.
Downloading anything from Adobe.com quickly can get you a McAfee Toolbar and downloading the Java installer gets you an Ask.com toolbar... makes me sick!"Tooljacking" is what I call it!
Its not just that, but you can bet that Chrome's new 'larger than firefox' market share numbers mostly come from the same sort of thing. People download a utility or 'free' app, click through the setup, and BANG, there is a chrome icon on their desktops.
Lol, at the chrome comment by zybch. Bang now you have a browser worth using, regardless of how you got chrome it's loads safer than IE and I have never personally seen anyone complain of chrome being installed against their will.
Downloading from CNET is now taboo to say the least, fileforum.com among others are much safer.
This is news?