[nsp-sec] Fwd: C|Net Download.Com is now bundling Nmap with malware!

Alfredo Sola alfredo at solucionesdinamicas.net
Tue Dec 6 03:06:35 EST 2011 

Hi,

I still haven't decided if this would be a near off-topic or a useful piece of information for our own teams, directly security related. Please excuse me if you think the former, and please exorcize nsp-sec headers when forwarding as usual if the latter.

Enviado desde mi iPad

Inicio del mensaje reenviado:

> De: Fyodor <fyodor at insecure.org>
> Fecha: 5 de diciembre de 2011 23:35:30 GMT+01:00
> Para: nmap-hackers at insecure.org
> Asunto: C|Net Download.Com is now bundling Nmap with malware!
> 
> Hi Folks.  I've just discovered that C|Net's Download.Com site has
> started wrapping their Nmap downloads (as well as other free software
> like VLC) in a trojan installer which does things like installing a
> sketchy "StartNow" toolbar, changing the user's default search engine
> to Microsoft Bing, and changing their home page to Microsoft's MSN.
> 
> The way it works is that C|Net's download page (screenshot attached)
> offers what they claim to be Nmap's Windows installer.  They even
> provide the correct file size for our official installer.  But users
> actually get a Cnet-created trojan installer.  That program does the
> dirty work before downloading and executing Nmap's real installer.
> 
> Of course the problem is that users often just click through installer
> screens, trusting that download.com gave them the real installer and
> knowing that the Nmap project wouldn't put malicious code in our
> installer.  Then the next time the user opens their browser, they
> find that their computer is hosed with crappy toolbars, Bing searches,
> Microsoft as their home page, and whatever other shenanigans the
> software performs!  The worst thing is that users will think we (Nmap
> Project) did this to them!
> 
> I took and attached a screen shot of the C|Net trojan Nmap installer
> in action.  Note how they use our registered "Nmap" trademark in big
> letters right above the malware "special offer" as if we somehow
> endorsed or allowed this.  Of course they also violated our trademark
> by claiming this download is an Nmap installer when we have nothing to
> do with the proprietary trojan installer.
> 
> In addition to the deception and trademark violation, and potential
> violation of the Computer Fraud and Abuse Act, this clearly violates
> Nmap's copyright.  This is exactly why Nmap isn't under the plain GPL.
> Our license (http://nmap.org/book/man-legal.html) specifically adds a
> clause forbidding software which "integrates/includes/aggregates Nmap
> into a proprietary executable installer" unless that software itself
> conforms to various GPL requirements (this proprietary C|Net
> download.com software and the toolbar don't).  We've long known that
> malicious parties might try to distribute a trojan Nmap installer, but
> we never thought it would be C|Net's Download.com, which is owned by
> CBS!  And we never thought Microsoft would be sponsoring this
> activity!
> 
> It is worth noting that C|Net's exact schemes vary.  Here is a story
> about their shenanigans:
> 
> http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
> 
> It is interesting to compare the trojaned VLC screenshot in that
> article with the Nmap one I've attached.  In that case, the user just
> clicks "Next step" to have their machine infected.  And they wrote
> "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.  It is
> telling that they decided to remove that statement in their newer
> trojan installer.  In fact, if we UPX-unpack the Trojan CNet
> executable and send it to VirusTotal.com, it is detected as malware by
> Panda, McAfee, F-Secure, etc:
> 
> http://bit.ly/cnet-nmap-vt
> 
> According to Download.com's own stats, hundreds of people download the
> trojan Nmap installer every week!  So the first order of business is
> to notify the community so that nobody else falls for this scheme.
> Please help spread the word.
> 
> Of course the next step is to go after C|Net until they stop doing
> this for ALL of the software they distribute.  So far, the most they
> have offered is:
> 
>  "If you would like to opt out of the Download.com Installer you can
>   submit a request to cnet-installer at cbsinteractive.com. All opt-out
>   requests are carefully reviewed on a case-by-case basis."
> 
> In other words, "we'll violate your trademarks and copyright and
> squandering your goodwill until you tell us to stop, and then we'll
> consider your request 'on a case-by-case basis' depending on how much
> money we make from infecting your users and how scary your legal
> threat is.
> 
> F*ck them!  If anyone knows a great copyright attorney in the U.S.,
> please send me the details or ask them to get in touch with me.
> 
> Also, shame on Microsoft for paying C|Net to trojan open source
> software!
> 
> Cheers,
> Fyodor
> 
> 
> 
> _______________________________________________
> Sent through the nmap-hackers mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers
> Archived at http://seclists.org/nmap-hackers/

More information about the nsp-security mailing list