Cnet Apologizes for Nmap Adware Bundling

Officials at Cnet’s Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that changed users’ search engine and home page to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com.

CNet NMapOfficials at Cnet’s Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that changed users’ search engine and home page to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com.

It’s not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user’s search engine to Bing.

“The way it works is that C|Net’s download page (screenshot attached) offers what they claim to be Nmap’s Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap’s real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!” Fyodor wrote in his original message.

In its apology, Cnet said that the situation was the result of an oversight.

“The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again,” Sean Murphy wrote in the statement.

Fyodor has set up a site explaining the situation with Cnet and laying out the details. Some of his anger was a result of the fact that Cnet makes claims that its downloads are free of adware, malware and spyware.

“It is unbelievable and reprehensible that they can make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute!” he wrote on the site.

“It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.Com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com’s fault for infecting the installers! So while Download.Com takes the payment for exploiting their user’s trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET,” Fyodor continued.

Suggested articles

Discussion

  • Zac on

    So this is how Microsoft does their 'marketing', forcing their products on people in the worst possible way. Thank CNET for colluding with Microsoft. No doubt you would have got a big sum of money to do it. One can just imagine if Google or Apple did this. Microsoft will again get a free pass on any blame, with all of it going to CNET.

  • Anonymous on

    @Zac : Google does this all the time, with the google toolbar being installed in a wide variety of software...

  • Anonymous on

    Adobe reader X download bundles chrome with the download unless you are paying attention.

  • Anonymous on

    Adobe reader X download bundles chrome with the download unless you are paying attention.

  • xpda on

    It is one thing for the software publisher to bundle, but it is quite rude for a download site to sneak stuff in on a download file. I have used download.com for a lot of years, but I can see it may be time for a change.

     

  • Craploader on

    *.download.com 127.0.0.1 ; block malware provider

  • Jamie on

    This did worry me as I use download.com a lot but it's not really malware if you click to accept changes to your system and no further changes are made after the installer has finished, is it?

  • Anonymous on

    Yeah, I dumped using CNET once they forced their crappy "download tool". Whatever CNET, I'll find the file without your silly binary downloading things for me.
  • Eric Crist on

    OpenVPN GUI is still listed, and is still bundled with the cNet installer.  Their claim that they've removed the installer from all open source is false.  We are working to get them to removed the install from the OpenVPN download, as well as either hosting a current version (theirs is more than 3 years old) or completely removing it.

  • Jack LaRue on

    What about the root of the problem involving Microsoft's shady marketing tactics of paying Cnet to infect the machines? Are they so insecure about the quality of their products that they have to trick and force themselves upon unsuspecting users? I happen to prefer Bing as my homepage in ie but that as a matter of free choice. Another aspect to consider is the cost of the system resources these types of malware consume.

  • Jack LaRue on

    What about the root of the problem involving Microsoft's shady marketing tactics of paying Cnet to infect the machines? Are they so insecure about the quality of their products that they have to trick and force themselves upon unsuspecting users? I happen to prefer Bing as my homepage in ie but that as a matter of free choice. Another aspect to consider is the cost of the system resources these types of malware consume.

  • Anonymous on

    CNET or download.com... take a hike and don't come back.

  • Anonymous on

    Wow... I think Microsoft is getting even more dumb these days. Hmm lets bundle search engine changing bloatware with a tool that is used primarily by networking professionals.

    They'll never notice hahaha :-/.

    Save it for the Angry Birds downloads guys..

    Bing sucks. Get over it. I can Bing Microsoft error messages and not find anything related to what I am looking for but when I turn to Google I find my answer. Pretty sad.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.