I have a VM used just to test these claims. VLC does not come wrapped but nmap does. Nasty
Actually that was a cheap shot at Microsoft, because the search engine is changed to
Babylon, the home page is changed to Babylon and their toolbar is installed - unless c|Net
has agreements with more than one company for that crap (which I doubt).
From: nznog-bounces(a)list.waikato.ac.nz [mailto:firstname.lastname@example.org] On Behalf
Sent: Tuesday, 6 December 2011 12:49 p.m.
Subject: [nznog] [fyodor(a)insecure.org: C|Net Download.Com
is now bundling Nmap with
----- Forwarded message from Fyodor <fyodor(a)insecure.org> -----
Date: Mon, 5 Dec 2011 14:35:30 -0800
Hi Folks. I've just discovered that C|Net's Download.Com
site has started
wrapping their Nmap downloads (as well as other free software like VLC) in a trojan
installer which does things like installing a sketchy "StartNow" toolbar,
changing the user's default search engine to Microsoft Bing, and changing their home
page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached) offers what they
claim to be Nmap's Windows installer. They even provide the correct file size for our
official installer. But users actually get a Cnet-created trojan installer. That program
does the dirty work before downloading and executing Nmap's real installer.
Of course the problem is that users often just click through installer screens, trusting
gave them the real installer and knowing that the Nmap project
wouldn't put malicious code in our installer. Then the next time the user opens their
browser, they find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the software performs! The
worst thing is that users will think we (Nmap
Project) did this to them!
I took and attached a screen shot of the C|Net trojan Nmap installer in action. Note how
they use our registered "Nmap" trademark in big letters right above the malware
"special offer" as if we somehow endorsed or allowed this. Of course they also
violated our trademark by claiming this download is an Nmap installer when we have nothing
to do with the proprietary trojan installer.
In addition to the deception and trademark violation, and potential violation of the
Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly
why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html
) specifically adds a clause forbidding
software which "integrates/includes/aggregates Nmap into a proprietary executable
installer" unless that software itself conforms to various GPL requirements (this
proprietary C|Net download.com
software and the toolbar don't). We've long known
that malicious parties might try to distribute a trojan Nmap installer, but we never
thought it would be C|Net's Download.com
, which is owned by CBS! And we never thought
Microsoft would be sponsoring this activity!
It is worth noting that C|Net's exact schemes vary. Here is a story about their
It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one
I've attached. In that case, the user just clicks "Next step" to have their
machine infected. And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the
trojan-VLC title bar. It is telling that they decided to remove that statement in their
newer trojan installer. In fact, if we UPX-unpack the Trojan CNet executable and send it
, it is detected as malware by Panda, McAfee, F-Secure, etc:
According to Download.com's own stats, hundreds of people download the trojan Nmap
installer every week! So the first order of business is to notify the community so that
nobody else falls for this scheme.
Please help spread the word.
Of course the next step is to go after C|Net until they stop doing this for ALL of the
software they distribute. So far, the most they have offered is:
"If you would like to opt out of the Download.com
Installer you can
submit a request to cnet-installer(a)cbsinteractive.com. All opt-out
requests are carefully reviewed on a case-by-case basis."
In other words, "we'll violate your trademarks and copyright and squandering your
goodwill until you tell us to stop, and then we'll consider your request 'on a
case-by-case basis' depending on how much money we make from infecting your users and
how scary your legal threat is.
F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the
details or ask them to get in touch with me.
Also, shame on Microsoft for paying C|Net to trojan open source software!
----- End forwarded message -----
NZNOG mailing list