[nsp-sec] Fwd: C|Net Download.Com is now bundling Nmap with malware!

Peter Moody pmoody at google.com
Tue Dec 6 12:41:09 EST 2011 

Re-scanning the downloader that cnet is offering for nmap gives me
different results [1] (the hashes are different, maybe they aren't bundling
anymore?)

I'll ping fyoder.

Cheers,
peter

[1]
http://www.virustotal.com/file-scan/report.html?id=19d29395a7889a33b42d359388539f9423859cfe7778e281d337ef8b9cc997df-1323192300


On Tue, Dec 6, 2011 at 6:37 AM, William Allen Simpson <
william.allen.simpson at gmail.com> wrote:

> ----------- nsp-security Confidential --------
>
>
> On 12/6/11 3:06 AM, Alfredo Sola wrote:
>
>> I still haven't decided if this would be a near off-topic or a useful
>> piece of information for our own teams, directly security related. Please
>> excuse me if you think the former, and please exorcize nsp-sec headers when
>> forwarding as usual if the latter.
>>
>>  It is....  Probably need the Firefox/Google "this can harm your computer"
> screen.  Can Google scan the other downloads from CNet and check for
> more malware?  Perhaps the entire site needs flagging?
>
>
>  De: Fyodor<fyodor at insecure.org>
>>>
>>> It is interesting to compare the trojaned VLC screenshot in that
>>> article with the Nmap one I've attached.  In that case, the user just
>>> clicks "Next step" to have their machine infected.  And they wrote
>>> "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.  It is
>>> telling that they decided to remove that statement in their newer
>>> trojan installer.  In fact, if we UPX-unpack the Trojan CNet
>>> executable and send it to VirusTotal.com, it is detected as malware by
>>> Panda, McAfee, F-Secure, etc:
>>>
>>> http://bit.ly/cnet-nmap-vt
>>>
>>>
>
> ______________________________**_________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/nsp-security<https://puck.nether.net/mailman/listinfo/nsp-security>
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> ______________________________**_________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list