Cnet is accused of bundling malware with downloads

[Virus Guy]

Cnet is accused of bundling malware with downloads

http://www.theinquirer.net/inquirer/...ware-downloads

The down low on low down Cnet downloads
By Dave Neal
Tue Dec 06 2011, 12:12

TECHNOLOGY PUBLISHER Cnet has been accused of bundling malware with the
security scanning software Nmap through its Downloads web site.

The accusation comes from the creator of Nmap, who in a forum post on
the Seclists.org web site chose not to mince his words.

"I've just discovered that C|Net's Download.Com site has started
wrapping their Nmap downloads (as well as other free software like VLC)
in a trojan installer which does things like installing a sketchy
'StartNow' toolbar, changing the user's default search engine to
Microsoft Bing, and changing their home page to Microsoft's MSN," wrote
Gordon 'Fyodor' Lyon in his post.

"The way it works is that C|Net's download page offers what they claim
to be Nmap's Windows installer. They even provide the correct file size
for our official installer. But users actually get a Cnet-created trojan
installer. That program does the dirty work before downloading and
executing Nmap's real installer."

People trust the web site, he added, and so are happy to click through
its installer screens, which they do at their own cost.

"Then the next time the user opens their browser, they find that their
computer is hosed with crappy toolbars, Bing searches, Microsoft as
their home page, and whatever other shenanigans the software performs!,"
he added. "The worst thing is that users will think we (Nmap Project)
did this to them!"

This is bad for users, he explained, but it's also bad for his Nmap
Project since allegedly Cnet is misusing its trademark to shill the
malware, and could be violating copyright laws.

"Note how they use our registered 'Nmap' trademark in big letters right
above the malware 'special offer' as if we somehow endorsed or allowed
this. Of course they also violated our trademark by claiming this
download is an Nmap installer when we have nothing to do with the
proprietary trojan installer," he added.

"We've long known that malicious parties might try to distribute a
trojan Nmap installer, but we never thought it would be C|Net's
Download.com, which is owned by CBS! And we never thought Microsoft
would be sponsoring this activity!"

Lyon added that once the Trojan Cnet executable is unpacked it is
detected as malware by Panda, McAfee and F-Secure.

Meanwhile Graham Cluley, security expert and blogger for Sophos in the
UK, expressed his surprise on Twitter, saying, "What on earth is CNET
playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"

Lyon is perhaps understandably annoyed by his failed attempts to resolve
the situation amicably with Cnet. "F*ck them!" he added. "If anyone
knows a great copyright attorney in the U.S., please send me the details
or ask them to get in touch with me."

We've asked Cnet to comment on the allegations. µ

[G. Morgan]

Virus Guy wrote:

>Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"

I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)

[~BD~]

G. Morgan wrote:
> Virus Guy wrote:
>
>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>
> I broke this story months ago and provided a homemade video on how to
> get around it. The AV companies and software distributors are just now
> acknowledging it?
>

Is your video on YouTube or similar, Graham?

May one take a peek? If so, a link please! :-)

[G. Morgan]

~BD~ wrote:

>G. Morgan wrote:
>> Virus Guy wrote:
>>
>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>
>> I broke this story months ago and provided a homemade video on how to
>> get around it. The AV companies and software distributors are just now
>> acknowledging it?
>>
>
>Is your video on YouTube or similar, Graham?
>
>May one take a peek? If so, a link please! :-)

http://groups.google.com/group/alt.c...a6b121ee?hl=en

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)

[~BD~]

G. Morgan wrote:
> ~BD~ wrote:
>
>> G. Morgan wrote:
>>> Virus Guy wrote:
>>>
>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>>
>>> I broke this story months ago and provided a homemade video on how to
>>> get around it. The AV companies and software distributors are just now
>>> acknowledging it?
>>>
>>
>> Is your video on YouTube or similar, Graham?
>>
>> May one take a peek? If so, a link please! :-)
>
> http://groups.google.com/group/alt.c...a6b121ee?hl=en


Thank you! :-)

Great desktop piccie too - I somehow doubt that you took it yourself!

[G. Morgan]

~BD~ wrote:

>G. Morgan wrote:
>> ~BD~ wrote:
>>
>>> G. Morgan wrote:
>>>> Virus Guy wrote:
>>>>
>>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>>>
>>>> I broke this story months ago and provided a homemade video on how to
>>>> get around it. The AV companies and software distributors are just now
>>>> acknowledging it?
>>>>
>>>
>>> Is your video on YouTube or similar, Graham?
>>>
>>> May one take a peek? If so, a link please! :-)
>>
>> http://groups.google.com/group/alt.c...a6b121ee?hl=en
>
>
>Thank you! :-)
>
>Great desktop piccie too - I somehow doubt that you took it yourself!

Nah, someone posted a link to it on a newsgroup and I liked it. I'm back
to a plain solid color now.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)

[Nemo]

On 07/12/2011 05:38, G. Morgan wrote:
> Virus Guy wrote:
>
>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>
> I broke this story months ago and provided a homemade video on how to
> get around it. The AV companies and software distributors are just now
> acknowledging it?
>
I've just checked a few trial downloads and can't see any evidence of
the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
is selective in some way - I'm using Win7/IE9 and based in the UK.

Could others report on their experiences?
(obviousy, don't let the installer run fully if the wrapper is evident)

[~BD~]

Nemo wrote:
> On 07/12/2011 05:38, G. Morgan wrote:
>> Virus Guy wrote:
>>
>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>
>> I broke this story months ago and provided a homemade video on how to
>> get around it. The AV companies and software distributors are just now
>> acknowledging it?
>>
> I've just checked a few trial downloads and can't see any evidence of
> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
> is selective in some way - I'm using Win7/IE9 and based in the UK.
>
> Could others report on their experiences?
> (obviously, don't let the installer run fully if the wrapper is evident)


Have you read here, Nemo?

http://krebsonsecurity.com/2011/12/d...lbars-trojans/

HTH

[Nemo]

On 07/12/2011 10:09, ~BD~ wrote:
> Nemo wrote:
>> On 07/12/2011 05:38, G. Morgan wrote:
>>> Virus Guy wrote:
>>>
>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>>
>>> I broke this story months ago and provided a homemade video on how to
>>> get around it. The AV companies and software distributors are just now
>>> acknowledging it?
>>>
>> I've just checked a few trial downloads and can't see any evidence of
>> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>> is selective in some way - I'm using Win7/IE9 and based in the UK.
>>
>> Could others report on their experiences?
>> (obviously, don't let the installer run fully if the wrapper is evident)
>
>
> Have you read here, Nemo?
>
> http://krebsonsecurity.com/2011/12/d...lbars-trojans/
>
> HTH
Thanks. I have now read that report as well. Please be clear that I am
not questioning the veracity of such reports, but I still cannot account
for why I am not being affected by it. I've checked 2 cited examples
(nmap, winrar). In each case the download is from
software-files-a.cnet.com and is the unadulterated installer. The Nmap
downloaded file is nmap-5.51-setup.exe which executes normally for me,
not as reported by others.

I am not a "registered user" of CNET's site. So I still wonder why the
different behaviour?

[G. Morgan]

Nemo wrote:

>> HTH
>Thanks. I have now read that report as well. Please be clear that I am
>not questioning the veracity of such reports, but I still cannot account
>for why I am not being affected by it. I've checked 2 cited examples
>(nmap, winrar). In each case the download is from
>software-files-a.cnet.com and is the unadulterated installer. The Nmap
>downloaded file is nmap-5.51-setup.exe which executes normally for me,
>not as reported by others.
>
>I am not a "registered user" of CNET's site. So I still wonder why the
>different behaviour?

I tried a few just now (including Winrar) and they are mostly clear now.

I did find a sample for you though (4th random try)

http://download.cnet.com/Advanced-Po...8_4-98269.html

Should get you "cnet2_pscan13_exe.exe" with the wrapper.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)