CNET Accused of Bundling Software Downloads with Trojans

Gordon "Fyodor" Lyon is the creator and maintainer of the widely-used network auditing and penetration-testing tool called Nmap. It's a handy tool for administrators that can spot services that shouldn't be running, locate rogue PCs and servers, identify firewalls on the network and more. You would think that having a download mirror like CNET would bring a significant load of traffic to Lyon's software.

Well it has, just not in a good way.

MORE: Best PC Antivirus Software 2014

According to the developer, CNET's repository has bundled his free software with Trojans and shady toolbars without his consent. Security firm Sophos backs up the claims and explains that it's encased in a software wrapper -- aka the Installer which was introduced back in July -- that tricks the potential customer into installing the Babylon Toolbar. To do this, the wrapper pops up a dialog headlined "Nmap" with a bright green default "Accept" button. But accepting only means CNET visitors accept the "special offer" of the toolbar instead... accepting the installation of Nmap comes later.

"The problem is that users often just click through installer screens, trusting that gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer," Lyon reports. " Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!"

"Taking someone else's work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair," Sophos added in a blog. "Getting people into the habit of installing software in an unofficial way from an unofficial source is poor security practice."

According to CNET, visitors can actually opt-out of the Installer by submitting a request to this email address. All opt-out requests are supposedly "carefully reviewed on a case-by-case basis."

The good news is that CNET's proprietary software is only available on some downloads -- customers who don't want to use the downloader can use the target software’s HTTP download URL to bypass it. The bad news is that security companies McAfee, Panda, F-Secure and seven others have determined the executable to be malware. Eight went so far as to label it as an actual Trojan.

"We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be CNET's, which is owned by CBS!" Lyon said. "And we never thought Microsoft would be sponsoring this activity!"

CNET has reportedly offered Lyon to opt out of the Installer program, but Fyodor doesn't plan to stop there. Because CNET's software uses Nmap's trademark and copy text, he may choose to take legal action over a possible trademark violation.

"In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright," he added. "This is exactly why Nmap isn't under the plain GPL. Our license specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements."

As of this writing, CNET and parent company CBS has not commented on the malware and copyright allegations.

Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then, he’s loved all things PC-related and cool gadgets ranging from the New Nintendo 3DS to Android tablets. He is currently a contributor at Digital Trends, writing about everything from computers to how-to content on Windows and Macs to reviews of the latest laptops from HP, Dell, Lenovo, and more. 

  • theconsolegamer
    MS involved... The media would go hard on MS as they did with Sony and the PSN issue? I don't think so.
  • olaf
    Well it remains to be seen how much is MS involved , but the "tool"bar is there for a while now , it has been annoying and this counterproductive for a while now . Many other sites practice this including Brothersoft and a few others. I am personaly against it i just find it vexing that it took people this long to do something about it.

    PS: even the F#%^@ DirectX installer comes with a pre-aproved Bing tool bar. Google must be killing Bing , GOOD.
  • Maxor127
    I clicked the link feeling skeptical, but after reading the article, that's pretty f'ed up, and I hope CNET pays for it.
  • leafblower29
    They used to give you direct links to the downloads, now they have you download some weird installer to get the download.
  • tanjo
    That's why I always download from the author/dev's site if possible.
  • gti88
    Actually, it may be safer to download software from torrent trackers nowadays.
  • joytech22
    I HATE Cnet's new downloading tool.

    It's STUPID.
    I mean, at my college the internet is blocked for certain things, and they blocked Cnet because of that new download tool which was tricking people at the college into downloading and installing toolbars and PUP's on the workstations.

    Cnet is a turn off now. For me anyway.. I almost never download from there.
  • Onus
    I hope Nmap takes CNet to the cleaners on this one. That's willful wrongdoing.
  • neon871
    I feel so Violated :-(
  • I don't understand: "The bad news is that security companies McAfee, Panda, F-Secure and seven others have determined the executable to be malware. Eight went so far as to label it as an actual Trojan."

    Given what the CNET wrapper includes that's not bad news, it's excellent news, and an indication that those companies are doing their job regardless of the source.

    Hopefully NMap can win in court and prevent CNet from continuing to use their product as a lure for CNet Malware....