In the continuing long decline of the download.com web site, it seems they have decided to start bundling malware with their downloads.
As described by Fyodor over at seclists.org.
As well as doing it to a number of free open source products they have done it with our OSForensics package as well. In our case they are distributing a file called cnet2_osf_exe.exe with our software. This contains the "Babylon toolbar". See screen shot below.
A number of the Anti-virus packages are already flagging the bundled software as a Trojan.
http://www.virustotal.com/file-scan/report.html?id=5bd70802c051fd95d0d78ac168385cd5047 05c00526ded2fd5edebdcc32d48f6-1323139801
Needless to say, it is pretty evil for CNet to do this without informing us.
Other developers have stated that if you pay CNET for advertising then CNet doesn't bundle their crapware. Which make it more like blackmail. If we get an additional details, we'll add to this post.
So for the moment we strongly suggest you don't use download.com. Go direct to the developer's sites for your downloads.
More details here,
http://seclists.org/nmap-hackers/2011/5
http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
Screen shot of CNET crapware
As described by Fyodor over at seclists.org.
"I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer."
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer."
A number of the Anti-virus packages are already flagging the bundled software as a Trojan.
http://www.virustotal.com/file-scan/report.html?id=5bd70802c051fd95d0d78ac168385cd5047 05c00526ded2fd5edebdcc32d48f6-1323139801
Needless to say, it is pretty evil for CNet to do this without informing us.
Other developers have stated that if you pay CNET for advertising then CNet doesn't bundle their crapware. Which make it more like blackmail. If we get an additional details, we'll add to this post.
So for the moment we strongly suggest you don't use download.com. Go direct to the developer's sites for your downloads.
More details here,
http://seclists.org/nmap-hackers/2011/5
http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
Screen shot of CNET crapware
Comment