TECHNOLOGY PUBLISHER Cnet has been accused of bundling malware with the security scanning software Nmap through its Downloads web site.
"I've just discovered that C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy 'StartNow' toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN," wrote Gordon 'Fyodor' Lyon in his post.
"The way it works is that C|Net's download page offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer."
People trust the web site, he added, and so are happy to click through its installer screens, which they do at their own cost.
"Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs!," he added. "The worst thing is that users will think we (Nmap Project) did this to them!"
This is bad for users, he explained, but it's also bad for his Nmap Project since allegedly Cnet is misusing its trademark to shill the malware, and could be violating copyright laws.
"Note how they use our registered 'Nmap' trademark in big letters right above the malware 'special offer' as if we somehow endorsed or allowed this. Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer," he added.
"We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!"
Lyon added that once the Trojan Cnet executable is unpacked it is detected as malware by Panda, McAfee and F-Secure.
Meanwhile Graham Cluley, security expert and blogger for Sophos in the UK, expressed his surprise on Twitter, saying, "What on earth is CNET playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
Lyon is perhaps understandably annoyed by his failed attempts to resolve the situation amicably with Cnet. "F*ck them!" he added. "If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me."
We've asked Cnet to comment on the allegations.
We put a couple of questions to Fyodor about the situation, and over email he expressed his frustration with Cnet.
"I haven't heard from anyone at Download.Com about this, but they do have a page where they try to justify their actions," he said while pointing us to a user help page that explains some facts about its downloader software.
"I totally expect this sort of thing from the black hat criminals who infect software with toolbars and the like. But Download.com is rated by Alexa as the 173rd most popular site on the Internet and supposedly prides itself on validating that software is free of adware/spyware/malware before listing it," he added.
"So it is reprehensible that they are now adding malware while claiming that their main purpose is to protect people from the same!"
We are still waiting for a response from Cnet. µ
Hashes to hashes
Team Green cranks the Super GPU machine
Also, the moon on a stick