CNET Accused of Wrapping Malware in Windows Installer for Nmap Security Tool

Some in the security community are currently ticked, at least disgusted, in regard to the pen-testing Network Mapping tool Nmap after Gordon Lyon, better known as Fyodor, announced on Seclists that C|Net Download.Com is now bundling Nmap with malware!

Fyodor alerted users that the Windows Installer for Nmap and other Open Source programs like VLC wraps bloatware, malware, and Trojans in otherwise legitimate and free software. According the #5 on CNet’s Download.com forum discussion, the CNET installer changes were made to “improve security and reliability of downloads.” Users trust CNet downloads, claiming more than 2.5 million daily downloads, and most won’t take the time to opt-out before the installer loads junk on their box.

Fyodor, the creator of Nmap, wrote:

Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer.  Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs!  The worst thing is that users will think we (Nmap Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer in action.  Note how they use our registered “Nmap” trademark in big letters right above the malware “special offer” as if we somehow endorsed or allowed this.  Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap’s copyright.

“CNet knows that there’s something wrong with what they’re doing, and they’re trying to deceive developers and users,” according the ExtremeTech. The installer allegedly does not spy on your computer, and can be completely removed by deleting the installer from the computer, but since “SAFE, TRUSTED, AND SPYWARE FREE” has been removed, I asked CNet  and CBS Interactive how wrapping installers and the bundling of bloatware could possibly be construed as benefiting users or developers?  No surprise there was no reply and also no surprise that the CNet wrapped installer version of Nmap is identified as malware by 10 of 42 scanners.

After numerous attempts to get a reply from CNetdownload.com editors, CBS Interactive, and even Microsoft, let’s just open fire. Not only is wrapping installers an appalling idea, it’s a horrible security practice. Furthermore, requiring users to opt-out instead of opt-in is also an extremely poor way handle privacy. Neither CNET Download.com editors nor CBS Interactive offered any comment to any of the allegations or to Fyodor’s CFAA and copyright accusations. There was only the chirping of crickets in otherwise silence after asking them both “How is wrapping a a Trojan in the Nmap installer an improvement to security?”

The same bundled-with-crapware download happened to Wireshark, until the Wireshark open source director sent a cease and desist letter to CBS. Others discussing the Nmap issue on Seclists have suggested sending a DMCA takedown, getting download.com listed on StopBadware, and reporting the malware to get the site blacklisted on Google.

I’d like to echo Fyodor, “Also, shame on Microsoft for paying C|Net to trojan open source software!” (Update at end of article to read Microsoft’s comment regarding Fyodor’s claim that Microsoft is “paying C|Net to Trojan open source software.”) Sophos Naked Security also believes this is a “poor security practice” and “taking someone else’s work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair.“

According to the CNet Download.com Installer FAQ: “If you would like to opt out of the Download.com Installer you can submit a request to CNet-installer@cbsinteractive.com. All opt-out requests are carefully reviewed on a case-by-case basis.”

You might want to steer clear of CNet’s Download.com if you still don’t have Nmap or any of the other top 125 tool listed on SecTools like a “Yelp for security tools.” Meanwhile, if you know a great copyright attorney in the U.S., then Fyodor is looking for one.

After this was written, CNet sent this reply: “We value your comments and have forwarded them on to our managers. Our goal is to make CNET an easy to use, friendly and safe site that helps people find and learn about the latest tech and consumer electronics.” Safe? Yeah right, bundling malware, crapware and Trojans in downloads is neither cool nor safe.

Microsoft Director of Bing, Bill Hankes replied as well.

Q: Can you see if Microsoft would like to offer any comment regarding Microsoft “paying C|Net to trojan open source software”?A: “No. Microsoft partners with a distributor who provides Bing search services within their product. This product was downloaded through a separate partnership with CNET.”

“We recently became aware of a CNET software bundling issue involving search services from one of our distribution partners. In this case, it appears that CNET bundled the search services of one of our distribution partners with other software. We are working closely with our partner to help protect customers and in the meantime, our partner has suspended operations with CNET until this issue has been remedied,” wrote Bill Hankes, Director, Bing.

Like this? Here’s more posts:

• Can Microsoft Xbox’s voice as a remote control win the hearts of Siri lovers?
• Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?
• 4th Amendment vs Virtual Force by Feds, Trojan Horse Warrants for Remote Searches?
• Hacker takes aim at Homeland, posts ‘proof’ of hacking SCADA for Houston’s water supply
• Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
• Real life HAL 9000 meets Skynet: AI controlled video surveillance society
• MalCon: Malware Hacking Conference for Twisted Pen Testers
• Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
• Busted! DOJ says you might be a felon if you clicked a link or opened email
• Microsoft Research: Hunting for HIV vaccine with techniques that fight spam
• Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets
• PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
• 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
• Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic