About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Trojans Courtesy DOWNLOAD.COM

From worst to worstest.

Get It

Try It

SAN FRANCISCO (Rixstep) — 'It wasn't long ago that I felt comfortable recommending CNET's download.com as a reputable and trustworthy place to download software. I'd like to take back that advice', writes Brian Krebs.

CNET seem to be doing the old Digital River trick - increasingly bundling invasive and annoying browser toolbars with software, even open source titles whose distribution licences prohibit such activity.

It's a clumsy and failed attempt to make money at best. It's a serious privacy invasion at worst.


Gordon Lyon ('Fyodor') of nmap fame wrote about the development recently.

'Hi folks. I've just discovered that C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy 'StartNow' toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN.'

The mention of 'Microsoft', 'Bing', and 'MSN' should raise red flags. This is typical behaviour for the Borg.

'The way it works is that C|Net's download page offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a C|Net-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer.'

It's one thing for Bill Gates to be up to his old shenanigans. It's quite another (but not totally unexpected) that CBS Interactive (owners of CNET today) should be Bill's lapdogs.

    Domain Admin
    CBS Interactive Inc
    235 Second Street
    San Francisco CA 94105

'Note how they use our registered 'Nmap' trademark in big letters right above the malware 'special offer' as if we somehow endorsed or allowed this. Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer.'

CBS/CNET have in the past been hiring less than stellar staff to work piecemeal on their websites. Not exactly inspiring confidence in software vendors.

Fyodor goes on to point out the Nmap licence specifically prohibits such tampering.


'The GPL places important restrictions on 'derived works', yet it does not provide a detailed definition of that term. To avoid misunderstandings, we consider an application to constitute a 'derivative work' for the purpose of this license if it does any of the following:

• Integrates/includes/aggregates Nmap into a proprietary executable installer'

Which seems clear enough. Not that the suits at CNET would care, but still and all.

'We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!'

But this is typical Microsoft behaviour: they can't get people to willfully embrace their products, so they find ways to force the products on people instead (and then lock them in natch). There's a long history of the policy in Redmond WA.

Detected as Malware

Brian Krebs points out that most AV suites - specifically targeting Windows which remains a profound security threat - will flag CNET's 'trojan' as malware.

The Hard Place

All of which leads one to ask where to get software. Obviously there are still two viable alternatives (at least for OS X users).

  1. Apple's App Store. The easiest alternative for 'kiddie' software that doesn't attempt to do anything 'grownup' to the system. Apple specifically disallow anything that enables the user to control OS X itself. You can't get firewall software, you certainly can't get advanced tools like the ACP, you probably can't even get things like CLIX.

  2. The vendors themselves. Apple haven't closed the lid on independent software yet. They could - all the code's been there in the system for years - but they haven't dared so far. You can still 'tinker' - and adequately protect your system on your own when Apple fail to do so - for now.

Alternatives such as MacUpdate are out of the question. The people behind MacUpdate have consistently shown an arrogant disrespect for business ethics and an arbitrary - even draconian - approach to dissemination of software titles, even going so far as to practice 'bait 'n' switch' with vendors and users both. If CNET can bundle products inside trojans, MacUpdate may not be far behind. Sneaky things like that are not what Apple would entertain (at least for now).

Don't forget there's one app that detects improprieties on an install. Try the slimmed down free version to start with.

'They're trying to control all aspects of software development and release. There isn't much free market anymore. Freedom's on the way out.'
 - Red Hat Diaries

See Also
Tracker: Why Chance It?

Krebs on Security: Download.com Bundling Toolbars, Trojans?
Seclists: C|Net Download.Com is now bundling Nmap with malware

Wayback: Dive into Mark: Tinkerer's Sunset

Industry Watch: Mac Developer Program Update
Industry Watch: Mac Developer Program Update II
Industry Watch: Steve Jobs to App Store for Mac: 'Nope'
Jonny Evans: Journey to the Centre of the Mac App Store

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.