Cnet is accused of bundling malware with downloads

V

Virus Guy

Cnet is accused of bundling malware with downloads

http://www.theinquirer.net/inquirer/news/2130382/cnet-accused-bundling-malware-downloads

The down low on low down Cnet downloads
By Dave Neal
Tue Dec 06 2011, 12:12

TECHNOLOGY PUBLISHER Cnet has been accused of bundling malware with the
security scanning software Nmap through its Downloads web site.

The accusation comes from the creator of Nmap, who in a forum post on
the Seclists.org web site chose not to mince his words.

"I've just discovered that C|Net's Download.Com site has started
wrapping their Nmap downloads (as well as other free software like VLC)
in a trojan installer which does things like installing a sketchy
'StartNow' toolbar, changing the user's default search engine to
Microsoft Bing, and changing their home page to Microsoft's MSN," wrote
Gordon 'Fyodor' Lyon in his post.

"The way it works is that C|Net's download page offers what they claim
to be Nmap's Windows installer. They even provide the correct file size
for our official installer. But users actually get a Cnet-created trojan
installer. That program does the dirty work before downloading and
executing Nmap's real installer."

People trust the web site, he added, and so are happy to click through
its installer screens, which they do at their own cost.

"Then the next time the user opens their browser, they find that their
computer is hosed with crappy toolbars, Bing searches, Microsoft as
their home page, and whatever other shenanigans the software performs!,"
he added. "The worst thing is that users will think we (Nmap Project)
did this to them!"

This is bad for users, he explained, but it's also bad for his Nmap
Project since allegedly Cnet is misusing its trademark to shill the
malware, and could be violating copyright laws.

"Note how they use our registered 'Nmap' trademark in big letters right
above the malware 'special offer' as if we somehow endorsed or allowed
this. Of course they also violated our trademark by claiming this
download is an Nmap installer when we have nothing to do with the
proprietary trojan installer," he added.

"We've long known that malicious parties might try to distribute a
trojan Nmap installer, but we never thought it would be C|Net's
Download.com, which is owned by CBS! And we never thought Microsoft
would be sponsoring this activity!"

Lyon added that once the Trojan Cnet executable is unpacked it is
detected as malware by Panda, McAfee and F-Secure.

Meanwhile Graham Cluley, security expert and blogger for Sophos in the
UK, expressed his surprise on Twitter, saying, "What on earth is CNET
playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"

Lyon is perhaps understandably annoyed by his failed attempts to resolve
the situation amicably with Cnet. "F*ck them!" he added. "If anyone
knows a great copyright attorney in the U.S., please send me the details
or ask them to get in touch with me."

We've asked Cnet to comment on the allegations. µ
 
G

G. Morgan

Virus said:
Meanwhile Graham Cluley, security expert and blogger for Sophos in the
UK, expressed his surprise on Twitter, saying, "What on earth is CNET
playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
Click to expand...

I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)
 
B

~BD~

G. Morgan said:
I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?
Click to expand...

Is your video on YouTube or similar, Graham?

May one take a peek? If so, a link please! :)
 
G

G. Morgan

~BD~ said:
Thank you! :)

Great desktop piccie too - I somehow doubt that you took it yourself!
Click to expand...

Nah, someone posted a link to it on a newsgroup and I liked it. I'm back
to a plain solid color now.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)
 
B

~BD~

G. Morgan said:
Nah, someone posted a link to it on a newsgroup and I liked it. I'm back
to a plain solid color now.
Click to expand...

It's nice that one may change things whenever one wishes!

I should also have said that I enjoyed your video. You were certainly
ahead of the game! Well done! :)

OT - are you still having trouble sleeping, Graham?
 
G

G. Morgan

~BD~ wrote:

I should also have said that I enjoyed your video. You were certainly
ahead of the game! Well done! :)
Thanks

OT - are you still having trouble sleeping, Graham?
Click to expand...

Not exactly, just sleeping at appropriate hours is the problem! My back
is all ****ed up again. I'm supposed to go for some physical therapy
that my doctor recommended, but I can't seem to get it scheduled at 3
am.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)
 
N

Nemo

I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?
Click to expand...
I've just checked a few trial downloads and can't see any evidence of
the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
is selective in some way - I'm using Win7/IE9 and based in the UK.

Could others report on their experiences?
(obviousy, don't let the installer run fully if the wrapper is evident)
 
B

~BD~

G. Morgan said:
~BD~ wrote:



Not exactly, just sleeping at appropriate hours is the problem! My back
is all ****ed up again.
Click to expand...

I'm sorry to hear that.
I'm supposed to go for some physical therapy that my doctor recommended,
but I can't seem to get it scheduled at 3 am.
Click to expand...

See if you can find a great physiotherapist who will share your bed! ;-)
 
N

Nemo

Have you read here, Nemo?

http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/

HTH
Click to expand...
Thanks. I have now read that report as well. Please be clear that I am
not questioning the veracity of such reports, but I still cannot account
for why I am not being affected by it. I've checked 2 cited examples
(nmap, winrar). In each case the download is from
software-files-a.cnet.com and is the unadulterated installer. The Nmap
downloaded file is nmap-5.51-setup.exe which executes normally for me,
not as reported by others.

I am not a "registered user" of CNET's site. So I still wonder why the
different behaviour?
 
G

G. Morgan

Nemo said:
Thanks. I have now read that report as well. Please be clear that I am
not questioning the veracity of such reports, but I still cannot account
for why I am not being affected by it. I've checked 2 cited examples
(nmap, winrar). In each case the download is from
software-files-a.cnet.com and is the unadulterated installer. The Nmap
downloaded file is nmap-5.51-setup.exe which executes normally for me,
not as reported by others.

I am not a "registered user" of CNET's site. So I still wonder why the
different behaviour?
Click to expand...

I tried a few just now (including Winrar) and they are mostly clear now.

I did find a sample for you though (4th random try)

http://download.cnet.com/Advanced-Port-Scanner/3000-18508_4-98269.html

Should get you "cnet2_pscan13_exe.exe" with the wrapper.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)
 
B

~BD~

Nemo said:
Thanks.
Click to expand...

YW! :)

I have now read that report as well. Please be clear that I am
not questioning the veracity of such reports, but I still cannot account
for why I am not being affected by it. I've checked 2 cited examples
(nmap, winrar). In each case the download is from
software-files-a.cnet.com and is the unadulterated installer. The Nmap
downloaded file is nmap-5.51-setup.exe which executes normally for me,
not as reported by others.

I am not a "registered user" of CNET's site. So I still wonder why the
different behaviour?
Click to expand...


I take it you have watched G. Morgan's video which he mentioned earlier
in the thread? But maybe not!

He made a video tutorial on how to bypass C-Net's new wrapper .exe back
in August! This is it (to save you a hunt!):-

http://screencast.com/t/CwTPXUIgUC

I'm afraid I can't personally help you further.
 
N

Nemo

YW! :)

I have now read that report as well. Please be clear that I am


I take it you have watched G. Morgan's video which he mentioned earlier
in the thread? But maybe not!

He made a video tutorial on how to bypass C-Net's new wrapper .exe back
in August! This is it (to save you a hunt!):-

http://screencast.com/t/CwTPXUIgUC

I'm afraid I can't personally help you further.
Click to expand...

You don't appear to understand the point I was raising.
 
G

G. Morgan

Nemo said:
Yes, that one is wrapped for me as well. It looks like CNET is trying to
cover its tracks by cleaning up cited examples?
Click to expand...

I don't know. What I do know is that "Graham Cluley" (no relation) and
others in the anti-shitware community are apparently not doing their
jobs. How could this Cluley guy be "surprised"¹ by this not-so-new
development? Could it be that AV vendors are intimidated by CBS, and
other big corporations for fear of legal retaliation for flagging it?
Same for some commercial key loggers. I think there are some deals made
behind closed doors for AV vendors to exclude signatures of commercial
shitware. Of course I can't prove it, and someone who knows for sure
probably isn't going to publicly confirm it.


¹"Meanwhile Graham Cluley, security expert and blogger for Sophos in the
UK, expressed his surprise on Twitter, saying, "What on earth is CNET
playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)
 
D

Dustin

I don't know. What I do know is that "Graham Cluley" (no relation) and
others in the anti-shitware community are apparently not doing their
jobs. How could this Cluley guy be "surprised"¹ by this not-so-new
development? Could it be that AV vendors are intimidated by CBS, and
other big corporations for fear of legal retaliation for flagging it?
Same for some commercial key loggers. I think there are some deals made
behind closed doors for AV vendors to exclude signatures of commercial
shitware. Of course I can't prove it, and someone who knows for sure
probably isn't going to publicly confirm it.
Click to expand...

ehehehehe....
 
N

Nobody > (Revisited)

I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?
Click to expand...

See edited subject line.

I needed a "fresh" download of Avast Free for a friend this weekend, so
I proceeded to the Awil/Avast website. Those clowns now are letting CNET
handle the 'Free' version downloads directly, no other links/mirrors
shown there.

So... I d/l'ed it from CNET and scanned it with my own Avast and MBAM,
all seems kosher .... at this time.

I didn't install *that* one, went to MajorGeeks (usually good) and got
it there. This one also checked out OK via Avast/MBAM.

CNET has gotten so much shit handed to them over this that they had to
fix this, and it appears they did.

Regarding the "download houses" (CNET, MajorGeeks, File Hippo,
Softonic, etc)... it's always been a crapshoot if you don't do scanning
on your own. I *usually* do, but I admit that I have just gone on faith
a few times and go bit for it, had to clean out a few added crap
toolbars and BHOs but luckily no real baddies.

There's nothing you can do about the obligatory "Do You Want Chrome" nag
frames and such, that's a given.

IIRC, this isn't CNET's first trip down this lane. If memory(?)'s
correct, they tried a similar stunt back about 1997.



--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

[GHacks] Avast Free Antivirus 7 Final Released 5
CCleaner Compromised to Distribute Malware for Almost a Month 10
Appears to be a spyware/malware website that shreds your files 1
Analysis of a Malware Compromise - my first malware 3
Comodo BOClean : Anti-Malware 5
Google to warn users targeted by state-sponsored attacks 2
Pop Up MALWARE: trojan.vundo, winfixer2005, winantivirus etc. 12
Dell ... will stop 'bundling' bloatware 1

Top