CNET's Download.com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, adware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads.
Unfortunately, those people were wrong. In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.
While it is common for internet criminals to infect software installers in this way, we never expected it from a previously-reputable site like Download.com. Especially given their “Download.com Adware & Spyware Notice” which, until early 2012, said:
“In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.”
“every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.”
It is unbelievable and reprehensible that they could make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute! Unfortunately, instead of ceasing the reprehensible behavior, they just changed their policy in early 2012 to remove the pledges quoted above.
Here is an example from an installer screen added by CNET Download.com which (if the user isn't vigilant enough to catch the small print I've circled below and press the decline button) will infect their machine:
It is bad enough when software authors include toolbars and other
unwanted apps bundled with their software. But having Download.com
insert such things into 3rd party installers is even more insidious.
When users find their systems hosed (searches redirected, home pages
changed, new hard-to-uninstall toolbars taking up space in their
browser) after installing software, they are likely to blame the
software authors. But in this case it is entirely Download.com's
fault for infecting the installers! So while Download.com takes the
payment for exploiting their user's trust and infecting the machines,
it is the software authors who wrongly take the blame! Of course it
is users who pay the ultimate price of having their systems infected
just to make a few bucks for CNET.
They're even using the trojan for children's software such as the Kea Coloring Book! Have they no shame?
The Nmap Security Scanner is a free
and open source utility used by millions of people for network
discovery, administration, inventory, and security auditing. It was
developed by Gordon Lyon
(A.K.A. Fyodor) in 1997 and he has been working to improve it ever
since. Nmap has always been distributed free of charge without adware
or malware of any kind, so you can imagine how upset Fyodor was when
he found out that Download.com was betraying his user's trust by
adding malware to the Nmap installer. Particularly because
Download.com makes it look like users are getting the real Nmap
installer, and they even put the trademarked Nmap name next to the
“special offer” which infects user's machines (see the
screen shot above). He verified the problem and sent
a strongly worded
warning to Nmap users
post also includes screen shots of the infection screen and virus
scanner results showing
anti-virus scanners already recognize and flag the CNET-provided
post went viral, spread by many angry users who were betrayed by
Download.com's false promises of clean downloads. Here are some
reasonably detailed (or with many comments) English articles:
Here are some updates from Fyodor since this Brouhaha started with his initial December 5, 2011 email:
June 27, 2012: Download.com complies with our request to remove Nmap entirely from their system.
Apr 24, 2012: Updated this page to note that they have removed their former pledge not to install adware and spyware on user's machines (see the summary section).
Dec 17, 2011: Added an executive summary to this page.
Dec 12: Added new InfoWorld article, which notes that the Metasploit Project has pulled their software from Download.com over this issue. Also added article #1 and article #2 about the CISO group calling for a boycott of CNET and Download.com. Also added a great Network World article: Download Wrappers Are Wrong, Doubly Wrong With Open Source.
Dec 11: Added links to articles from Boing Boing, eEye Digital Security, and Triona's Tech Tips
Dec 9: Sean Murphy (Download.com General Manager) posted another apology. But despite admitting that they “screwed up” and declaring that they “sincerely apologize to our users and to our developer community”, they continue to distribute malware and adware to their users. They say that they will stop bundling open source software with the trojan installer, but they need to stop all installer bundling, including non-open source software. For example, they still use the trojan installer for the games Age of Empires II: The Age of Kings and Need for Speed Underground 2. Apologizing for bad behavior only helps if you actually stop the behavior!
Dec 9: The Electronic Frontier Foundation, a tireless defender of users' rights, has come out strongly against this malware bundling! Computer World also put out a great new article: Open Source Trust Abused.
Dec 8: Added some articles about the Download.com statement: Heise Online, Kaspersky Labs Threatpost, The Register, Slashdot, Hacker News, Linux Weekly News
Dec 7: Download.com V.P. and General Manager Sean Murphy (who seems to be the main culprit in creating this program) issued a statement on the issue. He promises to make minor changes, but:
- He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because open source software is still being bundled. You can read the comments below his post for many examples.
- Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
- At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
- You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
- The Download.com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.
Dec 6: Microsoft contacted me to say:
“We saw the message you sent to the nmap-hackers mailing list a few days ago. Thanks for spotting this—we were unaware of the bundling issue you identified. It does appear CNET bundled the search services of one of our distribution partners with other software. In the meantime, our partner has suspended operations with CNET until this issue has been remedied.”
This is probably why CNET switched to installing the Babylon Toolbar yesterday. This is a good and welcome move by Microsoft, but the whole process of paying “distribution partners” to change a user's home page to MSN and search engine to Bing is rather sketchy. At a minimum, this distribution partner should be terminated. Creating a great search engine is a better way to attract users to Bing.
Dec 6: The adware pushed by Download.com has changed
again. Now the installer is promoting the CNET's own "TechTracker"
software. Either they are doing this (rather than the more egregious
malware they were installing earlier) to lie low while the heat dies
down, or they've become so toxic that even sketchy toolbar vendords
won't deal with them. But if CNET isn't stopped, the malware vendors
will come crawling back soon enough and CNET will be there to receive
Dec 6: Sometime last night, Download.com quietly replaced their rogue Nmap installer with a link to the official Nmap installer. While I'm glad they have currently removed the trojan installer for Nmap, they need to remove it for all of the software. Not just those of us who cause enough bad press to shame them into it. Here are is some popular software that still has the trojan download enabled: Kea Coloring Book (children's software), Need for Speed Underground 2 (game), and Age of Empires II: The Age of Kings (game).
Dec 5: The rogue installer uses your internet connection to decide what malware to install. It has now started installing the Babylon Toolbar rather than the Microsoft Bing stuff.
Dec 5: Gerald Combs, project leader for the popular Wireshark protocol analyzer, sent a cease-and-desist letter to CNET and they removed the rogue installer (only for his software). He's the one who notified Fyodor about this rogue CNET behavior in the first place.
After all the bad press, CNET has (at least for now) removed the
trojan installer for Nmap. But they could bring it back at any time,
and they still infect thousands of other software packages.
My demand is that CNET stop doing this for ALL of the software they distribute, not just those who are able to generate enough bad PR for them.
If Download.com doesn't stop, I plan to continue spreading the word about their reprehensible behavior. You can help by linking to and sharing this page, contacting anyone you know at CNET or Download.com, and of course never using or recommending Download.com to anyone! There are many superior alternatives, including FileHippo, NiNite, and Softpedia. Of course you can download apps from their official sites too!
The way it works is that CNET's Nmap download page
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a CNET-created trojan installer. That program first
communicates over the user's internet connection to decide what sort
of adware/spyware/malware to "offer" for installation. The first
screen of the rogue installer just claims that the software "is virus
and spyware free" and has the user click the big green button to
continue. The next screen
is the tricky one. If they click on the green button again this time,
it will (in these two examples) change their home page, redirect their
search queries, and install a sketchy and hard-to-remove browser
The problem is that users often just click through installer
screens, trusting that download.com gave them the real installer and
knowing that the Nmap project wouldn't put malicious code in our
installer. Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the
software performs! The worst thing is that users will think we (Nmap
Project) did this to them!