Officials at Cnet’s Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that changed users’ search engine and home page to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com.
It’s not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user’s search engine to Bing.
“The way it works is that C|Net’s download page (screenshot attached) offers what they claim to be Nmap’s Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap’s real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!” Fyodor wrote in his original message.
In its apology, Cnet said that the situation was the result of an oversight.
“The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again,” Sean Murphy wrote in the statement.
Fyodor has set up a site explaining the situation with Cnet and laying out the details. Some of his anger was a result of the fact that Cnet makes claims that its downloads are free of adware, malware and spyware.
“It is unbelievable and reprehensible that they can make these claims of being adware, malware, and spyware free at the same time at they are actually adding adware and malware to the packages they distribute!” he wrote on the site.
“It is bad enough when software authors include toolbars and other unwanted apps bundled with their software. But having Download.Com insert such things into 3rd party installers is even more insidious. When users find their systems hosed (searches redirected, home pages changed, new hard-to-uninstall toolbars taking up space in their browser) after installing software, they are likely to blame the software authors. But in this case it is entirely Download.com’s fault for infecting the installers! So while Download.Com takes the payment for exploiting their user’s trust and infecting the machines, it is the software authors who wrongly take the blame! Of course it is users who pay the ultimate price of having their systems infected just to make a few bucks for CNET,” Fyodor continued.