Summary

CNET's Download.com is one of the most popular (currently ranked #174 worldwide by Alexa) and longest-running (been around since 1996) major sites on the Internet. As a download repository, their key value ad was that they screened software to avoid malware, spyware, adware, viruses and other harmful content that certain shady software contains. Even many security experts recommended them as a safe place to download software online. Download.com is run by CNET, which is part of the 17-billion dollar CBS media empire. Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads.

Unfortunately, those people were wrong. In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.

While it is common for internet criminals to infect software installers in this way, we never expected it from a previously-reputable site like Download.com. Especially given their “Download.com Adware & Spyware Notice” which, until early 2012, said:

“In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.”

“every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.”

It is unbelievable and reprehensible that they could make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute! Unfortunately, instead of ceasing the reprehensible behavior, they just changed their policy in early 2012 to remove the pledges quoted above.

Here is an example from an installer screen added by CNET Download.com which (if the user isn't vigilant enough to catch the small print I've circled below and press the decline button) will infect their machine:

It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com's fault for infecting the installers! So while Download.com takes the payment for exploiting their user's trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET.

They're even using the trojan for children's software such as the Kea Coloring Book! Have they no shame?

The Nmap Connection

The Nmap Security Scanner is a free and open source utility used by millions of people for network discovery, administration, inventory, and security auditing. It was developed by Gordon Lyon (A.K.A. Fyodor) in 1997 and he has been working to improve it ever since. Nmap has always been distributed free of charge without adware or malware of any kind, so you can imagine how upset Fyodor was when he found out that Download.com was betraying his user's trust by adding malware to the Nmap installer. Particularly because Download.com makes it look like users are getting the real Nmap installer, and they even put the trademarked Nmap name next to the “special offer” which infects user's machines (see the screen shot above). He verified the problem and sent a strongly worded warning to Nmap users worldwide. That post also includes screen shots of the infection screen and virus scanner results showing that many anti-virus scanners already recognize and flag the CNET-provided malware. News Reports Fyodor's original post went viral, spread by many angry users who were betrayed by Download.com's false promises of clean downloads. Here are some reasonably detailed (or with many comments) English articles: The Register: Cnet slammed for wrapping Nmap downloads with cruddy toolbar

The Register #2: Download.com sorry for bundling Nmap with crapware

Network World: CNET Accused of Wrapping Malware in Windows Installer for Nmap Security Tool

Network World #2: Download Wrappers Are Wrong, Doubly Wrong With Open Source

InfoWorld: Security pros slam Cnet Download.com's bundling

Electronic Frontier Foundation: The Download.com Debacle: What CNET Needs to Do to Make it Right

Sophos Naked Security: Popular network tool Nmap in CNET security brouhaha

Krebs On Security: Download.com Bundling Toolbars, Trojans?

Computer World: Open Source Trust Abused

CSO Magazine: Has Download.com become Desolation Boulevard?

CSO Magazine #2: Cnet de-trojans Nmap, but outrage continues

CSO Magazine #3: Boycott C/Net and Download.Com, CISO Group says

Heise Online: Download.com accused of wrapping nmap in a “trojan installer”

Heise Online #2: Download.com “apologises” for bundling

Kaspersky Labs Threatpost: Cnet Apologizes for Nmap Adware Bundling

The Inquirer: Cnet is accused of bundling malware with downloads

Reddit: Download.com is now bundling Nmap with malware!

Slashdot: Download.com Bundling Adware With Free Software

Slashdot #2: Cnet Apologizes For Nmap Adware Mess

Linux Weekly News: C|Net Download.Com accused of bundling Nmap with malware

Linux Weekly News #2: Download.com “apologises” for bundling (The H)

Hacker News: CNet's Download.com now bundling Nmap with malware

Hacker News #2: Download.com Response to Nmap Offer Bundling

Geek.com: Nmap warns Download.com bundles malware with its software

Tom's Guide: CNET Accused of Bundling Software Downloads with Trojans

Examiner.Com: Download.com's wrapper installers delivering malware with software

ITWire: Cnet's Download.com is bundling malware with Nmap

Help Net Security: Download.com “cleans up” Nmap but not other downloads

SANS Internet Storm Center: C|Net download.com serving malware with nmap software

New Web Order blog: The Download Dot-Con

Wireshark blog: Used Cars and Stub Installers

EasyBCD: Open Letter to CNet

Boing Boing: CNet's Download.com secretly installs adware with open/free downloads

eEye Digital Security: Honey, Does this Installer Make Me Look Fat?

Triona's Tech Tips: CNet’s Nmap Debacle: When Good Software Comes Bundled With Junk

CISO Group Security.exe: Boycott C/Net and Download.Com initial December 5, 2011 email:

Goal and Demand of this page

After all the bad press, CNET has (at least for now) removed the trojan installer for Nmap. But they could bring it back at any time, and they still infect thousands of other software packages.

My demand is that CNET stop doing this for ALL of the software they distribute, not just those who are able to generate enough bad PR for them.

If Download.com doesn't stop, I plan to continue spreading the word about their reprehensible behavior. You can help by linking to and sharing this page, contacting anyone you know at CNET or Download.com, and of course never using or recommending Download.com to anyone! There are many superior alternatives, including FileHippo, NiNite, and Softpedia. Of course you can download apps from their official sites too!

Infection Mechanism

The way it works is that CNET's Nmap download page (screen shot) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a CNET-created trojan installer. That program first communicates over the user's internet connection to decide what sort of adware/spyware/malware to "offer" for installation. The first screen of the rogue installer just claims that the software "is virus and spyware free" and has the user click the big green button to continue. The next screen (screenshot1, shot2) is the tricky one. If they click on the green button again this time, it will (in these two examples) change their home page, redirect their search queries, and install a sketchy and hard-to-remove browser toolbar.

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!



