Cnet is accused of bundling malware with downloads

[Kirk Bubul]

On Wed, 07 Dec 2011 08:59:12 +0000, Nemo <invalid@invalid.invalid>
wrote:

>On 07/12/2011 05:38, G. Morgan wrote:
>> Virus Guy wrote:
>>
>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>
>> I broke this story months ago and provided a homemade video on how to
>> get around it. The AV companies and software distributors are just now
>> acknowledging it?
>>
>I've just checked a few trial downloads and can't see any evidence of
>the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>is selective in some way - I'm using Win7/IE9 and based in the UK.
>
>Could others report on their experiences?
>(obviousy, don't let the installer run fully if the wrapper is evident)

I have used Cnet's TechTracker to keep over 20 programs up to date.
I've noticed with great displeasure that some time ago they started
pushing the toolbar and other unwanted items as one tried to update a
completely unrelated program.

Just within the last week or so, the malware rejection/acceptance
screen has become more buried in the chain of clicks that one must
make in order to install the wanted software.

Can we start a petition? I've given them negative feedback.

[~BD~]

G. Morgan wrote:
> ~BD~ wrote:
>
>
>> I should also have said that I enjoyed your video. You were certainly
>> ahead of the game! Well done! :-)
>
> Thanks
>
>> OT - are you still having trouble sleeping, Graham?
>
> Not exactly, just sleeping at appropriate hours is the problem! My back
> is all ****ed up again.

I'm sorry to hear that.

> I'm supposed to go for some physical therapy that my doctor recommended,
> but I can't seem to get it scheduled at 3 am.

See if you can find a great physiotherapist who will share your bed! ;-)

[Bullwinkle.]

LOL So I guess the world ignores the "successful" businessman.

Must be the drugs.



"G. Morgan" <sealteam6@osama-is-dead.net> wrote in message
news:hqutd7dofaadp87t1dcem6bvebiqiudpkm@Osama-is-dead.net...
Virus Guy wrote:

>Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"

I broke this story months ago and provided a homemade video on how to
get around it. The AV companies and software distributors are just now
acknowledging it?

[Nemo]

On 07/12/2011 10:09, ~BD~ wrote:
> Nemo wrote:
>> On 07/12/2011 05:38, G. Morgan wrote:
>>> Virus Guy wrote:
>>>
>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>>
>>> I broke this story months ago and provided a homemade video on how to
>>> get around it. The AV companies and software distributors are just now
>>> acknowledging it?
>>>
>> I've just checked a few trial downloads and can't see any evidence of
>> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>> is selective in some way - I'm using Win7/IE9 and based in the UK.
>>
>> Could others report on their experiences?
>> (obviously, don't let the installer run fully if the wrapper is evident)
>
>
> Have you read here, Nemo?
>
> http://krebsonsecurity.com/2011/12/d...lbars-trojans/
>
> HTH
Thanks. I have now read that report as well. Please be clear that I am
not questioning the veracity of such reports, but I still cannot account
for why I am not being affected by it. I've checked 2 cited examples
(nmap, winrar). In each case the download is from
software-files-a.cnet.com and is the unadulterated installer. The Nmap
downloaded file is nmap-5.51-setup.exe which executes normally for me,
not as reported by others.

I am not a "registered user" of CNET's site. So I still wonder why the
different behaviour?

[G. Morgan]

Nemo wrote:

>> HTH
>Thanks. I have now read that report as well. Please be clear that I am
>not questioning the veracity of such reports, but I still cannot account
>for why I am not being affected by it. I've checked 2 cited examples
>(nmap, winrar). In each case the download is from
>software-files-a.cnet.com and is the unadulterated installer. The Nmap
>downloaded file is nmap-5.51-setup.exe which executes normally for me,
>not as reported by others.
>
>I am not a "registered user" of CNET's site. So I still wonder why the
>different behaviour?

I tried a few just now (including Winrar) and they are mostly clear now.

I did find a sample for you though (4th random try)

http://download.cnet.com/Advanced-Po...8_4-98269.html

Should get you "cnet2_pscan13_exe.exe" with the wrapper.

--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)

[~BD~]

Nemo wrote:
> On 07/12/2011 10:09, ~BD~ wrote:
>> Nemo wrote:
>>> On 07/12/2011 05:38, G. Morgan wrote:
>>>> Virus Guy wrote:
>>>>
>>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in the
>>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
>>>>
>>>> I broke this story months ago and provided a homemade video on how to
>>>> get around it. The AV companies and software distributors are just now
>>>> acknowledging it?
>>>>
>>> I've just checked a few trial downloads and can't see any evidence of
>>> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>>> is selective in some way - I'm using Win7/IE9 and based in the UK.
>>>
>>> Could others report on their experiences?
>>> (obviously, don't let the installer run fully if the wrapper is evident)
>>
>>
>> Have you read here, Nemo?
>>
>> http://krebsonsecurity.com/2011/12/d...lbars-trojans/
>>
>>
>> HTH


> Thanks.

YW! :-)

I have now read that report as well. Please be clear that I am
> not questioning the veracity of such reports, but I still cannot account
> for why I am not being affected by it. I've checked 2 cited examples
> (nmap, winrar). In each case the download is from
> software-files-a.cnet.com and is the unadulterated installer. The Nmap
> downloaded file is nmap-5.51-setup.exe which executes normally for me,
> not as reported by others.
>
> I am not a "registered user" of CNET's site. So I still wonder why the
> different behaviour?


I take it you have watched G. Morgan's video which he mentioned earlier
in the thread? But maybe not!

He made a video tutorial on how to bypass C-Net's new wrapper .exe back
in August! This is it (to save you a hunt!):-

http://screencast.com/t/CwTPXUIgUC

I'm afraid I can't personally help you further.

[Nemo]

On 07/12/2011 12:47, G. Morgan wrote:
> Nemo wrote:
>
>>> HTH
>> Thanks. I have now read that report as well. Please be clear that I am
>> not questioning the veracity of such reports, but I still cannot account
>> for why I am not being affected by it. I've checked 2 cited examples
>> (nmap, winrar). In each case the download is from
>> software-files-a.cnet.com and is the unadulterated installer. The Nmap
>> downloaded file is nmap-5.51-setup.exe which executes normally for me,
>> not as reported by others.
>>
>> I am not a "registered user" of CNET's site. So I still wonder why the
>> different behaviour?
>
> I tried a few just now (including Winrar) and they are mostly clear now.
>
> I did find a sample for you though (4th random try)
>
> http://download.cnet.com/Advanced-Po...8_4-98269.html
>
> Should get you "cnet2_pscan13_exe.exe" with the wrapper.
>
Yes, that one is wrapped for me as well. It looks like CNET is trying to
cover its tracks by cleaning up cited examples?

[Nemo]

On 07/12/2011 12:56, ~BD~ wrote:
> Nemo wrote:
>> On 07/12/2011 10:09, ~BD~ wrote:
>>> Nemo wrote:
>>>> On 07/12/2011 05:38, G. Morgan wrote:
>>>>> Virus Guy wrote:
>>>>>
>>>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in
>>>>>> the
>>>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy
>>>>>> toolbar?"
>>>>>
>>>>> I broke this story months ago and provided a homemade video on how to
>>>>> get around it. The AV companies and software distributors are just now
>>>>> acknowledging it?
>>>>>
>>>> I've just checked a few trial downloads and can't see any evidence of
>>>> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>>>> is selective in some way - I'm using Win7/IE9 and based in the UK.
>>>>
>>>> Could others report on their experiences?
>>>> (obviously, don't let the installer run fully if the wrapper is
>>>> evident)
>>>
>>>
>>> Have you read here, Nemo?
>>>
>>> http://krebsonsecurity.com/2011/12/d...lbars-trojans/
>>>
>>>
>>>
>>> HTH
>
>
>> Thanks.
>
> YW! :-)
>
> I have now read that report as well. Please be clear that I am
>> not questioning the veracity of such reports, but I still cannot account
>> for why I am not being affected by it. I've checked 2 cited examples
>> (nmap, winrar). In each case the download is from
>> software-files-a.cnet.com and is the unadulterated installer. The Nmap
>> downloaded file is nmap-5.51-setup.exe which executes normally for me,
>> not as reported by others.
>>
>> I am not a "registered user" of CNET's site. So I still wonder why the
>> different behaviour?
>
>
> I take it you have watched G. Morgan's video which he mentioned earlier
> in the thread? But maybe not!
>
> He made a video tutorial on how to bypass C-Net's new wrapper .exe back
> in August! This is it (to save you a hunt!):-
>
> http://screencast.com/t/CwTPXUIgUC
>
> I'm afraid I can't personally help you further.

You don't appear to understand the point I was raising.

[Bullwinkle.]

What !! The great 007 wannabe does not understand something?

oh Dear.


"Nemo" <invalid@invalid.invalid> wrote in message
news:GGJDq.128508$Bz4.42508@newsfe14.ams2...
On 07/12/2011 12:56, ~BD~ wrote:
> Nemo wrote:
>> On 07/12/2011 10:09, ~BD~ wrote:
>>> Nemo wrote:
>>>> On 07/12/2011 05:38, G. Morgan wrote:
>>>>> Virus Guy wrote:
>>>>>
>>>>>> Meanwhile Graham Cluley, security expert and blogger for Sophos in
>>>>>> the
>>>>>> UK, expressed his surprise on Twitter, saying, "What on earth is CNET
>>>>>> playing at wrapping downloads (VLC, Nmap, etc) with a cruddy
>>>>>> toolbar?"
>>>>>
>>>>> I broke this story months ago and provided a homemade video on how to
>>>>> get around it. The AV companies and software distributors are just now
>>>>> acknowledging it?
>>>>>
>>>> I've just checked a few trial downloads and can't see any evidence of
>>>> the wrapper. I wonder if Cnet has pulled it from its site, or maybe it
>>>> is selective in some way - I'm using Win7/IE9 and based in the UK.
>>>>
>>>> Could others report on their experiences?
>>>> (obviously, don't let the installer run fully if the wrapper is
>>>> evident)
>>>
>>>
>>> Have you read here, Nemo?
>>>
>>> http://krebsonsecurity.com/2011/12/d...lbars-trojans/
>>>
>>>
>>>
>>> HTH
>
>
>> Thanks.
>
> YW! :-)
>
> I have now read that report as well. Please be clear that I am
>> not questioning the veracity of such reports, but I still cannot account
>> for why I am not being affected by it. I've checked 2 cited examples
>> (nmap, winrar). In each case the download is from
>> software-files-a.cnet.com and is the unadulterated installer. The Nmap
>> downloaded file is nmap-5.51-setup.exe which executes normally for me,
>> not as reported by others.
>>
>> I am not a "registered user" of CNET's site. So I still wonder why the
>> different behaviour?
>
>
> I take it you have watched G. Morgan's video which he mentioned earlier
> in the thread? But maybe not!
>
> He made a video tutorial on how to bypass C-Net's new wrapper .exe back
> in August! This is it (to save you a hunt!):-
>
> http://screencast.com/t/CwTPXUIgUC
>
> I'm afraid I can't personally help you further.

You don't appear to understand the point I was raising.

[G. Morgan]

Nemo wrote:

>> I did find a sample for you though (4th random try)
>>
>> http://download.cnet.com/Advanced-Po...8_4-98269.html
>>
>> Should get you "cnet2_pscan13_exe.exe" with the wrapper.
>>
>Yes, that one is wrapped for me as well. It looks like CNET is trying to
>cover its tracks by cleaning up cited examples?

I don't know. What I do know is that "Graham Cluley" (no relation) and
others in the anti-****ware community are apparently not doing their
jobs. How could this Cluley guy be "surprised"¹ by this not-so-new
development? Could it be that AV vendors are intimidated by CBS, and
other big corporations for fear of legal retaliation for flagging it?
Same for some commercial key loggers. I think there are some deals made
behind closed doors for AV vendors to exclude signatures of commercial
****ware. Of course I can't prove it, and someone who knows for sure
probably isn't going to publicly confirm it.


¹"Meanwhile Graham Cluley, security expert and blogger for Sophos in the
UK, expressed his surprise on Twitter, saying, "What on earth is CNET
playing at wrapping downloads (VLC, Nmap, etc) with a cruddy toolbar?"
--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)