Download.com Caught Adding Malware to Nmap & Other Software

CNET Download.com was caught adding spyware, adware, and other malware to thousands of software packages that they distribute, including our Nmap Security Scanner. They do this even though it clearly violates their own anti-adware policy (update: they have now removed the anti-adware/spyware promise from the page).

After widespread criticism of the practice, Download.com removed their rogue installer from Nmap and some other software, but they still use it widely and have announced plans to expand it.

For these reasons, we suggest avoiding CNET Download.com entirely. It is safer to download apps from their official sites or more ethical aggregators such as FileHippo, NiNite, or Softpedia.

Summary

CNET's Download.com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, adware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads.

Unfortunately, those people were wrong. In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.

While it is common for internet criminals to infect software installers in this way, we never expected it from a previously-reputable site like Download.com. Especially given their “Download.com Adware & Spyware Notice” which, until early 2012, said:

“In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.”

“every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.”

It is unbelievable and reprehensible that they could make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute! Unfortunately, instead of ceasing the reprehensible behavior, they just changed their policy in early 2012 to remove the pledges quoted above.

Here is an example from an installer screen added by CNET Download.com which (if the user isn't vigilant enough to catch the small print I've circled below and press the decline button) will infect their machine:

It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com's fault for infecting the installers! So while Download.com takes the payment for exploiting their user's trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET.

They're even using the trojan for children's software such as the Kea Coloring Book! Have they no shame?

The Nmap Connection

The Nmap Security Scanner is a free and open source utility used by millions of people for network discovery, administration, inventory, and security auditing. It was developed by Gordon Lyon (A.K.A. Fyodor) in 1997 and he has been working to improve it ever since. Nmap has always been distributed free of charge without adware or malware of any kind, so you can imagine how upset Fyodor was when he found out that Download.com was betraying his user's trust by adding malware to the Nmap installer. Particularly because Download.com makes it look like users are getting the real Nmap installer, and they even put the trademarked Nmap name next to the “special offer” which infects user's machines (see the screen shot above). He verified the problem and sent a strongly worded warning to Nmap users worldwide. That post also includes screen shots of the infection screen and virus scanner results showing that many anti-virus scanners already recognize and flag the CNET-provided malware.

News Reports

Fyodor's original post went viral, spread by many angry users who were betrayed by Download.com's false promises of clean downloads. Here are some reasonably detailed (or with many comments) English articles:

• The Register: Cnet slammed for wrapping Nmap downloads with cruddy toolbar
• The Register #2: Download.com sorry for bundling Nmap with crapware
• Network World: CNET Accused of Wrapping Malware in Windows Installer for Nmap Security Tool
• Network World #2: Download Wrappers Are Wrong, Doubly Wrong With Open Source
• InfoWorld: Security pros slam Cnet Download.com's bundling
• Electronic Frontier Foundation: The Download.com Debacle: What CNET Needs to Do to Make it Right
• Sophos Naked Security: Popular network tool Nmap in CNET security brouhaha
• Krebs On Security: Download.com Bundling Toolbars, Trojans?
• Computer World: Open Source Trust Abused
• CSO Magazine: Has Download.com become Desolation Boulevard?
• CSO Magazine #2: Cnet de-trojans Nmap, but outrage continues
• CSO Magazine #3: Boycott C/Net and Download.Com, CISO Group says
• Heise Online: Download.com accused of wrapping nmap in a “trojan installer”
• Heise Online #2: Download.com “apologises” for bundling
• Kaspersky Labs Threatpost: Cnet Apologizes for Nmap Adware Bundling
• The Inquirer: Cnet is accused of bundling malware with downloads
• Reddit: Download.com is now bundling Nmap with malware!
• Slashdot: Download.com Bundling Adware With Free Software
• Slashdot #2: Cnet Apologizes For Nmap Adware Mess
• Linux Weekly News: C|Net Download.Com accused of bundling Nmap with malware
• Linux Weekly News #2: Download.com “apologises” for bundling (The H)
• Hacker News: CNet's Download.com now bundling Nmap with malware
• Hacker News #2: Download.com Response to Nmap Offer Bundling
• Geek.com: Nmap warns Download.com bundles malware with its software
• Tom's Guide: CNET Accused of Bundling Software Downloads with Trojans
• Examiner.Com: Download.com's wrapper installers delivering malware with software
• ITWire: Cnet's Download.com is bundling malware with Nmap
• Help Net Security: Download.com “cleans up” Nmap but not other downloads
• SANS Internet Storm Center: C|Net download.com serving malware with nmap software
• New Web Order blog: The Download Dot-Con
• Wireshark blog: Used Cars and Stub Installers
• EasyBCD: Open Letter to CNet
• Boing Boing: CNet's Download.com secretly installs adware with open/free downloads
• eEye Digital Security: Honey, Does this Installer Make Me Look Fat?
• Triona's Tech Tips: CNet’s Nmap Debacle: When Good Software Comes Bundled With Junk
• CISO Group Security.exe: Boycott C/Net and Download.Com

• June 27, 2012: Download.com complies with our request to remove Nmap entirely from their system.

• Apr 24, 2012: Updated this page to note that they have removed their former pledge not to install adware and spyware on user's machines (see the summary section).

• Dec 17, 2011: Added an executive summary to this page.

• Dec 12: Added new InfoWorld article, which notes that the Metasploit Project has pulled their software from Download.com over this issue. Also added article #1 and article #2 about the CISO group calling for a boycott of CNET and Download.com. Also added a great Network World article: Download Wrappers Are Wrong, Doubly Wrong With Open Source.

• Dec 11: Added links to articles from Boing Boing, eEye Digital Security, and Triona's Tech Tips

• Dec 9: Sean Murphy (Download.com General Manager) posted another apology. But despite admitting that they “screwed up” and declaring that they “sincerely apologize to our users and to our developer community”, they continue to distribute malware and adware to their users. They say that they will stop bundling open source software with the trojan installer, but they need to stop all installer bundling, including non-open source software. For example, they still use the trojan installer for the games Age of Empires II: The Age of Kings and Need for Speed Underground 2. Apologizing for bad behavior only helps if you actually stop the behavior!

• Dec 9: The Electronic Frontier Foundation, a tireless defender of users' rights, has come out strongly against this malware bundling! Computer World also put out a great new article: Open Source Trust Abused.

• Dec 9: I thought Download.com would try to behave for at least a few days while the heat is on, but they're already back to distributing malware. The trojan installer now tries to install something called Drop Down Deals on your computer (screen shot). This handy application spies on all of your web traffic in order to pop up ads when you visit certain sites. Even their own privacy policy admits that they "may collect and analyze your usage patterns such as which sites you visit" and that your browsing history "may be shared with third parties". In case that isn't enough, they "may also collect your Facebook username and user ID". And that is just the activity they openly admit to.

• Dec 8: Added some articles about the Download.com statement: Heise Online, Kaspersky Labs Threatpost, The Register, Slashdot, Hacker News, Linux Weekly News

• Dec 7: Download.com V.P. and General Manager Sean Murphy (who seems to be the main culprit in creating this program) issued a statement on the issue. He promises to make minor changes, but:

  • He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because open source software is still being bundled. You can read the comments below his post for many examples.
  • Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
  • At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
  • You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
  • The Download.com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.

• Dec 6: Microsoft contacted me to say:

  “We saw the message you sent to the nmap-hackers mailing list a few days ago. Thanks for spotting this—we were unaware of the bundling issue you identified. It does appear CNET bundled the search services of one of our distribution partners with other software. In the meantime, our partner has suspended operations with CNET until this issue has been remedied.”

  This is probably why CNET switched to installing the Babylon Toolbar yesterday. This is a good and welcome move by Microsoft, but the whole process of paying “distribution partners” to change a user's home page to MSN and search engine to Bing is rather sketchy. At a minimum, this distribution partner should be terminated. Creating a great search engine is a better way to attract users to Bing.

• Dec 6: The adware pushed by Download.com has changed again. Now the installer is promoting the CNET's own "TechTracker" software. Either they are doing this (rather than the more egregious malware they were installing earlier) to lie low while the heat dies down, or they've become so toxic that even sketchy toolbar vendords won't deal with them. But if CNET isn't stopped, the malware vendors will come crawling back soon enough and CNET will be there to receive them.

• Dec 6: Sometime last night, Download.com quietly replaced their rogue Nmap installer with a link to the official Nmap installer. While I'm glad they have currently removed the trojan installer for Nmap, they need to remove it for all of the software. Not just those of us who cause enough bad press to shame them into it. Here are is some popular software that still has the trojan download enabled: Kea Coloring Book (children's software), Need for Speed Underground 2 (game), and Age of Empires II: The Age of Kings (game).

• Dec 5: The rogue installer uses your internet connection to decide what malware to install. It has now started installing the Babylon Toolbar rather than the Microsoft Bing stuff.

• Dec 5: Gerald Combs, project leader for the popular Wireshark protocol analyzer, sent a cease-and-desist letter to CNET and they removed the rogue installer (only for his software). He's the one who notified Fyodor about this rogue CNET behavior in the first place.

Goal and Demand of this page

After all the bad press, CNET has (at least for now) removed the trojan installer for Nmap. But they could bring it back at any time, and they still infect thousands of other software packages.

My demand is that CNET stop doing this for ALL of the software they distribute, not just those who are able to generate enough bad PR for them.

If Download.com doesn't stop, I plan to continue spreading the word about their reprehensible behavior. You can help by linking to and sharing this page, contacting anyone you know at CNET or Download.com, and of course never using or recommending Download.com to anyone! There are many superior alternatives, including FileHippo, NiNite, and Softpedia. Of course you can download apps from their official sites too!

Infection Mechanism

The way it works is that CNET's Nmap download page (screen shot) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a CNET-created trojan installer. That program first communicates over the user's internet connection to decide what sort of adware/spyware/malware to "offer" for installation. The first screen of the rogue installer just claims that the software "is virus and spyware free" and has the user click the big green button to continue. The next screen (screenshot1, shot2) is the tricky one. If they click on the green button again this time, it will (in these two examples) change their home page, redirect their search queries, and install a sketchy and hard-to-remove browser toolbar.

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!