Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: C|Net Download.Com is now bundling Nmap with malware!

From: Chuck Braden <j-braden () TAMU EDU>
Date: Tue, 6 Dec 2011 16:00:53 +0000

Have yet to see this posted to the list

Forwarding - fyi

Also see
http://isc.sans.edu/diary/C+Net+download+com+serving+malware+with+nmap+software/12148

Jimmy C Braden
Information Security Officer
AgriLife Information Technology
979-862-7254
j-braden () tamu edu<mailto:j-braden () tamu edu>


-----Original Message-----
From: nmap-hackers-bounces () insecure org<mailto:nmap-hackers-bounces () insecure org> [mailto:nmap-hackers-bounces () 
insecure org]<mailto:[mailto:nmap-hackers-bounces () insecure org]> On Behalf Of Fyodor
Sent: Monday, December 05, 2011 4:35 PM
To: nmap-hackers () insecure org<mailto:nmap-hackers () insecure org>
Subject: C|Net Download.Com is now bundling Nmap with malware!

Hi Folks.  I've just discovered that C|Net's Download.Com site has started wrapping their Nmap downloads (as well as 
other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, 
changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows 
installer.  They even provide the correct file size for our official installer.  But users actually get a Cnet-created 
trojan installer.  That program does the dirty work before downloading and executing Nmap's real installer.

Of course the problem is that users often just click through installer screens, trusting that download.com gave them 
the real installer and knowing that the Nmap project wouldn't put malicious code in our installer.  Then the next time 
the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as 
their home page, and whatever other shenanigans the software performs!  The worst thing is that users will think we 
(Nmap
Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer in action.  Note how they use our registered 
"Nmap" trademark in big letters right above the malware "special offer" as if we somehow endorsed or allowed this.  Of 
course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with 
the proprietary trojan installer.

In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this 
clearly violates Nmap's copyright.  This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which 
"integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to 
various GPL requirements (this proprietary C|Net download.com software and the toolbar don't).  We've long known that 
malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's 
Download.com, which is owned by CBS!  And we never thought Microsoft would be sponsoring this activity!

It is worth noting that C|Net's exact schemes vary.  Here is a story about their shenanigans:

http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations

It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one I've attached.  In that 
case, the user just clicks "Next step" to have their machine infected.  And they wrote "SAFE, TRUSTED, AND SPYWARE 
FREE" in the trojan-VLC title bar.  It is telling that they decided to remove that statement in their newer trojan 
installer.  In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is detected as 
malware by Panda, McAfee, F-Secure, etc:

http://bit.ly/cnet-nmap-vt

According to Download.com's own stats, hundreds of people download the trojan Nmap installer every week!  So the first 
order of business is to notify the community so that nobody else falls for this scheme.
Please help spread the word.

Of course the next step is to go after C|Net until they stop doing this for ALL of the software they distribute.  So 
far, the most they have offered is:

  "If you would like to opt out of the Download.com Installer you can
   submit a request to cnet-installer () cbsinteractive com<mailto:cnet-installer () cbsinteractive com>. All opt-out
   requests are carefully reviewed on a case-by-case basis."

In other words, "we'll violate your trademarks and copyright and squandering your goodwill until you tell us to stop, 
and then we'll consider your request 'on a case-by-case basis' depending on how much money we make from infecting your 
users and how scary your legal threat is.

F*ck them!  If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in 
touch with me.

Also, shame on Microsoft for paying C|Net to trojan open source software!

Cheers,
Fyodor
Previous By Date Next
Previous By Thread Next

Current thread: