Has Download.com become Desolation Boulevard?

Seclists.org has some interesting comments this morning about hidden malware on Cnet’s popular Download.com.

Gordon Lyon, more commonly known on the Internet as Fyodor, runs the Internet security resource sites Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org and maintains the Nmap Security Scanner.

On Seclists.org, he writes of what he sees as a growing cesspool on the popular Download.com site:

I’ve just discovered that C|Net’s Download.Com site has

started wrapping their Nmap downloads (as well as other free software

like VLC) in a trojan installer which does things like installing a

sketchy “StartNow” toolbar, changing the user’s default search engine

to Microsoft Bing, and changing their home page to Microsoft’s MSN.

The way it works is that C|Net’s download page (screenshot attached)

offers what they claim to be Nmap’s Windows installer. They even

provide the correct file size for our official installer. But users

actually get a Cnet-created trojan installer. That program does the

dirty work before downloading and executing Nmap’s real installer.

Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer.

Then the next time the user opens their browser, they

find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

Fyodor notes that he’s not the only one to have come across this problem. Lee Mathews, an IT admin based in Manitoba, wrote about his own findings on the ExtremeTech site back in August. He wrote:

There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.

At Download.com, page designs have been repeatedly tweaked over the years to push its updater software (now called TechTracker), TrialPay offers, and the site’s mailing list. Bothersome, perhaps, but certainly not inexcusable. They’ve got to make money off the site somehow, after all, and banner ads don’t always do the job. Now, things have taken a turn for the worse: Cnet has begun wrapping downloads in a proprietary installer.

Wrapping installers is a terrible practice. For one thing, it can be a violation of a program’s distribution terms — but Download.com has no doubt ensured that its TOS states that if you let them mirror your files you’re giving them free reign. It’s also a serious slap in the face to users, who wind up not with a clean, genuine version of the installer they tried to download but a modified beast that shoves toolbars, home page, and default search engines changes down their throats.

But it gets worse. Cnet knows that there’s something wrong with what they’re doing, and they’re trying to deceive developers and users. On the Upload.com FAQ, there’s a note posted to let developers know why the bundling is taking place: “for the users.” Yes, Cnet thinks we’re clueless enough to believe that their motivation is really to provide users with a less painful download and installation process. Because opt-out toolbars and homepage changes make software setup less annoying.

Here’s the full FAQ from Cnet on this practice:

1. What is the CNET Download.com Installer?

The CNET Download.com Installer is a tiny ad-supported stub installer or “download manager” that helps securely deliver downloads from Download.com’s servers to the user’s device. The user is guaranteed that the file they install came from Download.com’s servers, and the simple and easy to follow steps help ensure that they complete their download and install the software.

2. Why is Download.com making this change?

Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Download.com Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software’s installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.

3. How does the Download.com Installer improve the download experience?

By downloading with the Download.com Installer the user is guaranteed that the file they install on their system came directly from Download.com. Only software that is tested spyware-free and hosted on Download.com’s secure servers may be delivered via the Installer.

In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.

Finally, Download.com is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Download.com Software Policies.

4. Is all software on Download.com delivered via the Installer?

No. The Download.com Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.

5. Is my direct download URL still available?

Yes. Users who wish to bypass the Download.com Installer may do so via the direct HTTP download URL that is provided below the main “Download Now” button. At this time we require users to be registered and logged in to access the direct download link.

6. Why are users seeing offers for additional software during the download?

The Download.com Installer is supported by offers for additional 3rd-party software. Users will encounter a single offer during their download, which is clearly disclosed and provides the option to accept or decline it before proceeding with the download. We only show offers for software that is approved for listing on Download.com has undergone additional screening to ensure compliance with the Download.com Software Policies.

7. Are any additional items installed on the users machine?

The Download.com Installer does not install itself on the user’s system and does not leave behind and additional components. If the user accepts an offer for 3rd-party software during their download the additional items that they’ve agreed to will be installed on their system.

8. Will there be additional reporting available with the Download.com Installer?

Yes. The Download.com Installer allows us to have a more comprehensive view of the download funnel, from the click on the Download Now button to the completion of download and installation of file. We expect to have these additional reporting metrics available via the Upload.com reports.

9. Can I opt out of the CNET Download.com Installer?

Yes. If you would like to opt out of the Download.com Installer you can submit a request to cnet-installer@cbsinteractive.com. All opt-out requests are carefully reviewed on a case-by-case basis.

At this time we are automatically excluding Premium listings as well as PPD advertisers.

10. Who do I contact with further questions about the Download.com Installer?

If you have additional questions or concerns related to the Download.com Installer please contact Upload.com support.

So what do you think? Is this installer as insidious as the folks above suggest, or is the problem overblown? I’ll start the comment thread by simply noting that I’ve followed the writings of Fyodor and Mathews for some time now, and I find them both to be trustworthy sources.

I have nothing against Cnet, and I too have used Download.com plenty of times over the years, though I haven’t been there of late.

I do think, after reading that FAQ, that Cnet’s response to the concerns people have is inadequate and somewhat rude. But that’s just me.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!