[Infowarrior] - C|Net's DownloadCom is bundling Nmap with malware!
Richard Forno
rforno at infowarrior.org
Mon Dec 5 18:38:53 CST 2011
(c/o RSK and others)
> ----- Forwarded message from Fyodor <fyodor at insecure.org> -----
>
> Date: Mon, 5 Dec 2011 14:35:30 -0800
>
> Hi Folks. I've just discovered that C|Net's Download.Com site has
> started wrapping their Nmap downloads (as well as other free software
> like VLC) in a trojan installer which does things like installing a
> sketchy "StartNow" toolbar, changing the user's default search engine
> to Microsoft Bing, and changing their home page to Microsoft's MSN.
>
> The way it works is that C|Net's download page (screenshot attached)
> offers what they claim to be Nmap's Windows installer. They even
> provide the correct file size for our official installer. But users
> actually get a Cnet-created trojan installer. That program does the
> dirty work before downloading and executing Nmap's real installer.
>
> Of course the problem is that users often just click through installer
> screens, trusting that download.com gave them the real installer and
> knowing that the Nmap project wouldn't put malicious code in our
> installer. Then the next time the user opens their browser, they
> find that their computer is hosed with crappy toolbars, Bing searches,
> Microsoft as their home page, and whatever other shenanigans the
> software performs! The worst thing is that users will think we (Nmap
> Project) did this to them!
>
> I took and attached a screen shot of the C|Net trojan Nmap installer
> in action. Note how they use our registered "Nmap" trademark in big
> letters right above the malware "special offer" as if we somehow
> endorsed or allowed this. Of course they also violated our trademark
> by claiming this download is an Nmap installer when we have nothing to
> do with the proprietary trojan installer.
>
> In addition to the deception and trademark violation, and potential
> violation of the Computer Fraud and Abuse Act, this clearly violates
> Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
> Our license (http://nmap.org/book/man-legal.html) specifically adds a
> clause forbidding software which "integrates/includes/aggregates Nmap
> into a proprietary executable installer" unless that software itself
> conforms to various GPL requirements (this proprietary C|Net
> download.com software and the toolbar don't). We've long known that
> malicious parties might try to distribute a trojan Nmap installer, but
> we never thought it would be C|Net's Download.com, which is owned by
> CBS! And we never thought Microsoft would be sponsoring this
> activity!
>
> It is worth noting that C|Net's exact schemes vary. Here is a story
> about their shenanigans:
>
> http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
>
> It is interesting to compare the trojaned VLC screenshot in that
> article with the Nmap one I've attached. In that case, the user just
> clicks "Next step" to have their machine infected. And they wrote
> "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is
> telling that they decided to remove that statement in their newer
> trojan installer. In fact, if we UPX-unpack the Trojan CNet
> executable and send it to VirusTotal.com, it is detected as malware by
> Panda, McAfee, F-Secure, etc:
>
> http://bit.ly/cnet-nmap-vt
>
> According to Download.com's own stats, hundreds of people download the
> trojan Nmap installer every week! So the first order of business is
> to notify the community so that nobody else falls for this scheme.
> Please help spread the word.
>
> Of course the next step is to go after C|Net until they stop doing
> this for ALL of the software they distribute. So far, the most they
> have offered is:
>
> "If you would like to opt out of the Download.com Installer you can
> submit a request to cnet-installer at cbsinteractive.com. All opt-out
> requests are carefully reviewed on a case-by-case basis."
>
> In other words, "we'll violate your trademarks and copyright and
> squandering your goodwill until you tell us to stop, and then we'll
> consider your request 'on a case-by-case basis' depending on how much
> money we make from infecting your users and how scary your legal
> threat is.
>
> F*ck them! If anyone knows a great copyright attorney in the U.S.,
> please send me the details or ask them to get in touch with me.
>
> Also, shame on Microsoft for paying C|Net to trojan open source
> software!
>
> Cheers,
> Fyodor
---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.
More information about the Infowarrior
mailing list