Download.com Caught Adding Malware to Nmap & Other Software

Last Update: June 27, 2012—see the updates section

Executive Summary

CNET Download.com was caught adding spyware, adware, and other malware to thousands of software packages that they distribute, including our Nmap Security Scanner. They do this even though it clearly violates their own anti-adware policy (update: they have now removed the anti-adware/spyware promise from the page).

After widespread criticism of the practice, Download.com removed their rogue installer from Nmap and some other software, but they still use it widely and have announced plans to expand it.

For these reasons, we suggest avoiding CNET Download.com entirely. It is safer to download apps from their official sites or more ethical aggregators such as FileHippo, NiNite, or Softpedia.

Summary

CNET's Download.com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, adware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads.

Unfortunately, those people were wrong. In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.

While it is common for internet criminals to infect software installers in this way, we never expected it from a previously-reputable site like Download.com. Especially given their “Download.com Adware & Spyware Notice” which, until early 2012, said:

In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.

and ...
every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.

It is unbelievable and reprehensible that they could make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute! Unfortunately, instead of ceasing the reprehensible behavior, they just changed their policy in early 2012 to remove the pledges quoted above.

Here is an example from an installer screen added by CNET Download.com which (if the user isn't vigilant enough to catch the small print I've circled below and press the decline button) will infect their machine:

It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com's fault for infecting the installers! So while Download.com takes the payment for exploiting their user's trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET.

They're even using the trojan for children's software such as the Kea Coloring Book! Have they no shame?

The Nmap Connection

The Nmap Security Scanner is a free and open source utility used by millions of people for network discovery, administration, inventory, and security auditing. It was developed by Gordon Lyon (A.K.A. Fyodor) in 1997 and he has been working to improve it ever since. Nmap has always been distributed free of charge without adware or malware of any kind, so you can imagine how upset Fyodor was when he found out that Download.com was betraying his user's trust by adding malware to the Nmap installer. Particularly because Download.com makes it look like users are getting the real Nmap installer, and they even put the trademarked Nmap name next to the “special offer” which infects user's machines (see the screen shot above). He verified the problem and sent a strongly worded warning to Nmap users worldwide. That post also includes screen shots of the infection screen and virus scanner results showing that many anti-virus scanners already recognize and flag the CNET-provided malware.

News Reports

Fyodor's original post went viral, spread by many angry users who were betrayed by Download.com's false promises of clean downloads. Here are some reasonably detailed (or with many comments) English articles:

Updates

Here are some updates from Fyodor since this Brouhaha started with his
initial December 5, 2011 email:

Goal and Demand of this page

After all the bad press, CNET has (at least for now) removed the trojan installer for Nmap. But they could bring it back at any time, and they still infect thousands of other software packages.

My demand is that CNET stop doing this for ALL of the software they distribute, not just those who are able to generate enough bad PR for them.

If Download.com doesn't stop, I plan to continue spreading the word about their reprehensible behavior. You can help by linking to and sharing this page, contacting anyone you know at CNET or Download.com, and of course never using or recommending Download.com to anyone! There are many superior alternatives, including FileHippo, NiNite, and Softpedia. Of course you can download apps from their official sites too!

Infection Mechanism

The way it works is that CNET's Nmap download page (screen shot) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a CNET-created trojan installer. That program first communicates over the user's internet connection to decide what sort of adware/spyware/malware to "offer" for installation. The first screen of the rogue installer just claims that the software "is virus and spyware free" and has the user click the big green button to continue. The next screen (screenshot1, shot2) is the tricky one. If they click on the green button again this time, it will (in these two examples) change their home page, redirect their search queries, and install a sketchy and hard-to-remove browser toolbar.

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!