• United States



Has become Desolation Boulevard?

Dec 06, 20117 mins
Data and Information Security has some interesting comments this morning about hidden malware on Cnet’s popular

Gordon Lyon, more commonly known on the Internet as Fyodor, runs the Internet security resource sites Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org and maintains the Nmap Security Scanner.

On, he writes of what he sees as a growing cesspool on the popular site:

I’ve just discovered that C|Net’s Download.Com site has

started wrapping their Nmap downloads (as well as other free software

like VLC) in a trojan installer which does things like installing a

sketchy “StartNow” toolbar, changing the user’s default search engine

to Microsoft Bing, and changing their home page to Microsoft’s MSN.

The way it works is that C|Net’s download page (screenshot attached)

offers what they claim to be Nmap’s Windows installer. They even

provide the correct file size for our official installer. But users

actually get a Cnet-created trojan installer. That program does the

dirty work before downloading and executing Nmap’s real installer.

Of course the problem is that users often just click through installer screens, trusting that gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer.

Then the next time the user opens their browser, they

find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

Fyodor notes that he’s not the only one to have come across this problem. Lee Mathews, an IT admin based in Manitoba, wrote about his own findings on the ExtremeTech site back in August. He wrote:

There was a time long, long ago when was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.

At, page designs have been repeatedly tweaked over the years to push its updater software (now called TechTracker), TrialPay offers, and the site’s mailing list. Bothersome, perhaps, but certainly not inexcusable. They’ve got to make money off the site somehow, after all, and banner ads don’t always do the job. Now, things have taken a turn for the worse: Cnet has begun wrapping downloads in a proprietary installer.

Wrapping installers is a terrible practice. For one thing, it can be a violation of a program’s distribution terms — but has no doubt ensured that its TOS states that if you let them mirror your files you’re giving them free reign. It’s also a serious slap in the face to users, who wind up not with a clean, genuine version of the installer they tried to download but a modified beast that shoves toolbars, home page, and default search engines changes down their throats.

But it gets worse. Cnet knows that there’s something wrong with what they’re doing, and they’re trying to deceive developers and users. On the FAQ, there’s a note posted to let developers know why the bundling is taking place: “for the users.” Yes, Cnet thinks we’re clueless enough to believe that their motivation is really to provide users with a less painful download and installation process. Because opt-out toolbars and homepage changes make software setup less annoying.

Here’s the full FAQ from Cnet on this practice:

1. What is the CNET Installer?

The CNET Installer is a tiny ad-supported stub installer or “download manager” that helps securely deliver downloads from’s servers to the user’s device. The user is guaranteed that the file they install came from’s servers, and the simple and easy to follow steps help ensure that they complete their download and install the software.

2. Why is making this change?

Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software’s installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.

3. How does the Installer improve the download experience?

By downloading with the Installer the user is guaranteed that the file they install on their system came directly from Only software that is tested spyware-free and hosted on’s secure servers may be delivered via the Installer.

In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.

Finally, is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Software Policies.

4. Is all software on delivered via the Installer?

No. The Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.

5. Is my direct download URL still available?

Yes. Users who wish to bypass the Installer may do so via the direct HTTP download URL that is provided below the main “Download Now” button. At this time we require users to be registered and logged in to access the direct download link.

6. Why are users seeing offers for additional software during the download?

The Installer is supported by offers for additional 3rd-party software. Users will encounter a single offer during their download, which is clearly disclosed and provides the option to accept or decline it before proceeding with the download. We only show offers for software that is approved for listing on has undergone additional screening to ensure compliance with the Software Policies.

7. Are any additional items installed on the users machine?

The Installer does not install itself on the user’s system and does not leave behind and additional components. If the user accepts an offer for 3rd-party software during their download the additional items that they’ve agreed to will be installed on their system.

8. Will there be additional reporting available with the Installer?

Yes. The Installer allows us to have a more comprehensive view of the download funnel, from the click on the Download Now button to the completion of download and installation of file. We expect to have these additional reporting metrics available via the reports.

9. Can I opt out of the CNET Installer?

Yes. If you would like to opt out of the Installer you can submit a request to All opt-out requests are carefully reviewed on a case-by-case basis.

At this time we are automatically excluding Premium listings as well as PPD advertisers.

10. Who do I contact with further questions about the Installer?

If you have additional questions or concerns related to the Installer please contact support.

So what do you think? Is this installer as insidious as the folks above suggest, or is the problem overblown? I’ll start the comment thread by simply noting that I’ve followed the writings of Fyodor and Mathews for some time now, and I find them both to be trustworthy sources.

I have nothing against Cnet, and I too have used plenty of times over the years, though I haven’t been there of late.

I do think, after reading that FAQ, that Cnet’s response to the concerns people have is inadequate and somewhat rude. But that’s just me.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!