[Outages-discussion] Fwd: [fyodor at insecure.org: C|Net Download.Com is now bundling Nmap with malware!]

Jay Ashworth jra at baylink.com
Mon Dec 5 21:14:59 EST 2011


FYI; pass it on.  Bill's a reliable source; Fyodor's the author.

Cheers,
-- jr 'the moderator' a

----- Forwarded Message -----
> From: bmanning at vacation.karoshi.com
> To: nanog at nanog.org
> Sent: Monday, December 5, 2011 6:44:19 PM
> Subject: [fyodor at insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
> With permission....
> 
> 
> ----- Forwarded message from Fyodor <fyodor at insecure.org> -----
> 
> Date: Mon, 5 Dec 2011 14:35:30 -0800
> 
> Hi Folks. I've just discovered that C|Net's Download.Com site has
> started wrapping their Nmap downloads (as well as other free software
> like VLC) in a trojan installer which does things like installing a
> sketchy "StartNow" toolbar, changing the user's default search engine
> to Microsoft Bing, and changing their home page to Microsoft's MSN.
> 
> The way it works is that C|Net's download page (screenshot attached)
> offers what they claim to be Nmap's Windows installer. They even
> provide the correct file size for our official installer. But users
> actually get a Cnet-created trojan installer. That program does the
> dirty work before downloading and executing Nmap's real installer.
> 
> Of course the problem is that users often just click through installer
> screens, trusting that download.com gave them the real installer and
> knowing that the Nmap project wouldn't put malicious code in our
> installer. Then the next time the user opens their browser, they
> find that their computer is hosed with crappy toolbars, Bing searches,
> Microsoft as their home page, and whatever other shenanigans the
> software performs! The worst thing is that users will think we (Nmap
> Project) did this to them!
> 
> I took and attached a screen shot of the C|Net trojan Nmap installer
> in action. Note how they use our registered "Nmap" trademark in big
> letters right above the malware "special offer" as if we somehow
> endorsed or allowed this. Of course they also violated our trademark
> by claiming this download is an Nmap installer when we have nothing to
> do with the proprietary trojan installer.
> 
> In addition to the deception and trademark violation, and potential
> violation of the Computer Fraud and Abuse Act, this clearly violates
> Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
> Our license (http://nmap.org/book/man-legal.html) specifically adds a
> clause forbidding software which "integrates/includes/aggregates Nmap
> into a proprietary executable installer" unless that software itself
> conforms to various GPL requirements (this proprietary C|Net
> download.com software and the toolbar don't). We've long known that
> malicious parties might try to distribute a trojan Nmap installer, but
> we never thought it would be C|Net's Download.com, which is owned by
> CBS! And we never thought Microsoft would be sponsoring this
> activity!
> 
> It is worth noting that C|Net's exact schemes vary. Here is a story
> about their shenanigans:
> 
> http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
> 
> It is interesting to compare the trojaned VLC screenshot in that
> article with the Nmap one I've attached. In that case, the user just
> clicks "Next step" to have their machine infected. And they wrote
> "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is
> telling that they decided to remove that statement in their newer
> trojan installer. In fact, if we UPX-unpack the Trojan CNet
> executable and send it to VirusTotal.com, it is detected as malware by
> Panda, McAfee, F-Secure, etc:
> 
> http://bit.ly/cnet-nmap-vt
> 
> According to Download.com's own stats, hundreds of people download the
> trojan Nmap installer every week! So the first order of business is
> to notify the community so that nobody else falls for this scheme.
> Please help spread the word.
> 
> Of course the next step is to go after C|Net until they stop doing
> this for ALL of the software they distribute. So far, the most they
> have offered is:
> 
> "If you would like to opt out of the Download.com Installer you can
> submit a request to cnet-installer at cbsinteractive.com. All opt-out
> requests are carefully reviewed on a case-by-case basis."
> 
> In other words, "we'll violate your trademarks and copyright and
> squandering your goodwill until you tell us to stop, and then we'll
> consider your request 'on a case-by-case basis' depending on how much
> money we make from infecting your users and how scary your legal
> threat is.
> 
> F*ck them! If anyone knows a great copyright attorney in the U.S.,
> please send me the details or ask them to get in touch with me.
> 
> Also, shame on Microsoft for paying C|Net to trojan open source
> software!
> 
> Cheers,
> Fyodor
> 
> ----- End forwarded message -----

-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274


More information about the Outages-discussion mailing list