C|Net downloader flagged as Trojan - hijacks popular security tool

For many IT professionals and geeks, download.com, which is maintained by C|Net, used to be the go to spot for all your shareware and freeware needs. However, that was then, and now, changes over at C|Net have stirred the pot, leading some security vendors to flag their unique software installation tool as Malware.

On Monday, Fyodor (Gordon Lyon) blasted C|Net when a new version of his Nmap software was hijacked by their installer application.

C|Net’s special installation suite will offer to install various third-party tools, as well as altering the browser’s homepage and default search options. With millions of applications available on download.com, not all of them are forced in to the hijacked installation process.

C|Net’s installer is only applied to any updated software package, so Nmap was flagged and taken over the moment version 5.51 was submitted to downloads.com.

“C|Net's download page offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a C|Net-created Trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer,” Fyodor explained.

To make things worse he added, users will likely install the software as normal, assuming that the source is trusted. When they later access their browser, they’ll find several alterations, from toolbars to start page changes, and some will blame the Nmap project itself.

“In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL,” he added.

“Our license specifically adds a clause forbidding software which ‘integrates/includes/aggregates Nmap into a proprietary executable installer’ unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a Trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!”

Software developers can email C|Net and request that their application not be included in C|Net’s installation suite, however, such requests will be examined on a case-by-case basis the.

“In other words, 'we'll violate your trademarks and copyright and squandering your goodwill until you tell us to stop, and then we'll consider your request 'on a case-by-case basis' depending on how much money we make from infecting your users and how scary your legal threat is. F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me.”

It’s worth noting that the title Trojan is applied to C|Net’s installer, not only by those who are against what it does, but by the anti-Virus industry itself. BitDefender, F-Secure, GData, McAfee, ESET, and Panda all flag the installer when it runs on a system. Three of them actually call it a Trojan.

C|Net defends their installer, by pointing out that the additional installations are “clearly disclosed and provides the option to accept or decline the offer before proceeding with the download.”

“We only show offers for software that is approved for listing on C|Net Download.com. If you do not wish to use the C|Net Installer, we provide a link to the direct HTTP download URL below the main ‘Download Now’ button. You need to be logged in as a C|Net member to use this link.”

Earlier this summer, there were several complaints about the new installer, which led to various postings on the topic, including one from GHacks and one from ExtremeTech, each discussing a different tool.

CBS Interactive, the parent of C|Net and download.com would not discuss the financial aspects of any third-party partnerships.

Like this article? Please share on Facebook and give The Tech Herald a Like too!