|
|
Subscribe / Log in / New account

C|Net Download.Com accused of bundling Nmap with malware

[Posted December 6, 2011 by corbet]

From:  Fyodor <fyodor-AT-insecure.org>
To:  nmap-hackers-AT-insecure.org
Subject:  C|Net Download.Com is now bundling Nmap with malware!
Date:  Mon, 5 Dec 2011 14:35:30 -0800
Message-ID:  <20111205223530.GA21383@syn.titan.net>

Hi Folks.  I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer.  They even
provide the correct file size for our official installer.  But users
actually get a Cnet-created trojan installer.  That program does the
dirty work before downloading and executing Nmap's real installer.

Of course the problem is that users often just click through installer
screens, trusting that download.com gave them the real installer and
knowing that the Nmap project wouldn't put malicious code in our
installer.  Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the
software performs!  The worst thing is that users will think we (Nmap
Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer
in action.  Note how they use our registered "Nmap" trademark in big
letters right above the malware "special offer" as if we somehow
endorsed or allowed this.  Of course they also violated our trademark
by claiming this download is an Nmap installer when we have nothing to
do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright.  This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't).  We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS!  And we never thought Microsoft would be sponsoring this
activity!

It is worth noting that C|Net's exact schemes vary.  Here is a story
about their shenanigans:

http://www.extremetech.com/computing/93504-download-com-w...

It is interesting to compare the trojaned VLC screenshot in that
article with the Nmap one I've attached.  In that case, the user just
clicks "Next step" to have their machine infected.  And they wrote
"SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.  It is
telling that they decided to remove that statement in their newer
trojan installer.  In fact, if we UPX-unpack the Trojan CNet
executable and send it to VirusTotal.com, it is detected as malware by
Panda, McAfee, F-Secure, etc:

http://bit.ly/cnet-nmap-vt

According to Download.com's own stats, hundreds of people download the
trojan Nmap installer every week!  So the first order of business is
to notify the community so that nobody else falls for this scheme.
Please help spread the word.

Of course the next step is to go after C|Net until they stop doing
this for ALL of the software they distribute.  So far, the most they
have offered is:

  "If you would like to opt out of the Download.com Installer you can
   submit a request to cnet-installer@cbsinteractive.com. All opt-out
   requests are carefully reviewed on a case-by-case basis."

In other words, "we'll violate your trademarks and copyright and
squandering your goodwill until you tell us to stop, and then we'll
consider your request 'on a case-by-case basis' depending on how much
money we make from infecting your users and how scary your legal
threat is.

F*ck them!  If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Also, shame on Microsoft for paying C|Net to trojan open source
software!

Cheers,
Fyodor



_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org/nmap-hackers/

to post comments

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 15:15 UTC (Tue) by hpro (subscriber, #74751) [Link]

Wouldn't it be funny to modify the real Nmap-installer to pop up a warning if it notices it was called from an external installer, such as C|Net's ..

I guess that would only lead to them completely repackaging the entire thing tough..

Curious: not the same toolbar

Posted Dec 6, 2011 15:26 UTC (Tue) by renox (guest, #23785) [Link]

I used C|Net recently (shame on me) and it installed google's toolbar, not the same toolbar curiously, in fact it warned about it before the download (but I didn't understand the warning because the webpage was in a foreign language).
But I could uninstall google's toolbar without trouble.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 16:57 UTC (Tue) by briangmaddox (guest, #39279) [Link]

I wonder if this is a result of the CBS purchase or something CNET has been planning for a while. Waiting to see if any of the ex-CNETters out there say anything.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 17:06 UTC (Tue) by dashesy (guest, #74652) [Link]

Apparently they have been doing this for some time (here and here). Shame on Microsoft true, but there are more to blame.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 17:06 UTC (Tue) by clugstj (subscriber, #4020) [Link]

"shame on Microsoft for paying C|Net to trojan open source software".

It's just business as usual for Microsoft - they've been operating this way for at least the last 25 years.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 17:20 UTC (Tue) by yokem_55 (subscriber, #10498) [Link]

I ran into this the other day with a cnet download of a free-beer-ware utility for windows. It took me a couple of seconds to read through what was happening, and I barely caught it before clicking through too fast.

As for Nmap, I'm thinking a strongly worded C&D to the CNet Legal department is in order for trademark and license violations. This "your request will be reviewed on a case by case basis" is a load of bull hockey.

But... Why?

Posted Dec 6, 2011 19:19 UTC (Tue) by job (guest, #670) [Link] (15 responses)

I don't understand. Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

Software from some random unofficial site could be laden with whatever rootkits and trojans you can think of. It really could have been much worse than it was in this article.

But... Why?

Posted Dec 6, 2011 19:41 UTC (Tue) by cesarb (subscriber, #6266) [Link] (7 responses)

> Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I do this all the time. For instance, I often download gcc from Fedora, instead of from the official GNU site. The same for a lot of other software.

But... Why?

Posted Dec 6, 2011 21:30 UTC (Tue) by job (guest, #670) [Link] (6 responses)

Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Somehow I doubt it would be worth the trouble to trojanize Linux installers on random web pages...

But... Why?

Posted Dec 6, 2011 22:11 UTC (Tue) by cesarb (subscriber, #6266) [Link] (5 responses)

> Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Even then, some of the reasons are the same. I could get Eclipse from the official site, and even get a newer version that way, but it is still more convenient for me to get it (and almost everything else) from Fedora (or whichever Linux distribution I am using that day), and it would still be the case even without package management.

The comment below by rgmoore makes the same point I was trying to make, perhaps more eloquently.

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here). This same rationale applies to downloading Firefox extensions only from Mozilla's addons site, even when they are available elsewhere.

Re: But... Why?

Posted Dec 7, 2011 2:12 UTC (Wed) by ldo (guest, #40946) [Link] (4 responses)

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here).

The irony is that all these attempts to offer add-on security for Windows only seem to lead to more opportunities for security holes and, as in this case, downright deception by the parties supposedly providing the “security”.

Tell me there isn’t something fundamentally wrong with Windows...

Re: But... Why?

Posted Dec 7, 2011 9:48 UTC (Wed) by trasz (guest, #45786) [Link] (3 responses)

Not with Windows - with the users. It's just that most of them use Windows.

Re: But... Why?

Posted Dec 7, 2011 21:26 UTC (Wed) by ldo (guest, #40946) [Link] (2 responses)

Not with Windows - with the users.

You’re trying to blame Windows users for what CNET is doing?

Re: But... Why?

Posted Dec 8, 2011 13:29 UTC (Thu) by trasz (guest, #45786) [Link] (1 responses)

You're trying to blame Microsoft for what CNET is doing? ;-)

Re: But... Why?

Posted Dec 8, 2011 17:58 UTC (Thu) by clugstj (subscriber, #4020) [Link]

Well, since they are changing your search to use Bing, it's a pretty good bet that Microsoft is paying them to do it.

But... Why?

Posted Dec 6, 2011 20:41 UTC (Tue) by pflugstad (subscriber, #224) [Link]

A good fraction of the time, the official site actually links to Download.com (or some other download site) instead of providing the link directly. For example: Irfanview (http://www.irfanview.com/) is a very good/popular image viewer/editor for Windows. If you go to their download page, they provide links to their software installer on Download.com, TUCOWS, and half a dozen other sites).

I expect this is mostly done to cut the site hosting costs for the main site. If everyone downloaded it directly, that's a significant bandwidth bill - but by farming it out to a number of other download sites, those sites pay for the bandwidth. This also lets the you leverage regional mirroring, again saving bandwidth costs.

So - it's a common thing.

People are aware of the issue with unofficial download site, which is why Download.com and others often advertise "trojan/spyware/crapware free" or some variation of that.

And up until recently, I've never had any trouble with these sites. I do recall the change when Download.com switched to the silly installer a few months ago (August time frame I think) - I just selected a different download mirror.

Download.com is now officially on my DO NOT GO THERE list...

But... Why?

Posted Dec 6, 2011 20:42 UTC (Tue) by ikm (guest, #493) [Link] (2 responses)

People tend to download from the first link the search engine gives them. Whether it's an official download place or not takes some thought not everybody is willing to take.

But... Why?

Posted Dec 6, 2011 21:32 UTC (Tue) by job (guest, #670) [Link] (1 responses)

That was my point. Download.com is not even in the first page of Google hits for "nmap".

But... Why?

Posted Dec 7, 2011 8:39 UTC (Wed) by eduperez (guest, #11232) [Link]

> That was my point. Download.com is not even in the first page of Google hits for "nmap".

It isn't in the first page when you search for it; remember that Google tailors search results to each user.

But... Why?

Posted Dec 6, 2011 21:56 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I would assume it's for some of the same reasons Free Software users tend to get their software from a distribution rather than directly from upstream. If you're dealing with more than a few packages, it's a lot easier to have a single site that finds all the software you want and puts it in one big archive, rather than having to track down each upstream project individually and deal with their different packaging and downloading standards. Obviously C|Net isn't doing the same kind of QC that a good Linux distro does- including malware seems like anti-QC- but aggregating the software is a big convenience.

But... Why?

Posted Dec 6, 2011 22:02 UTC (Tue) by josh (subscriber, #17465) [Link]

For a long time, CNet's download.com provided a fairly respectable place to get software for Windows. It served as a mirror network, and as mentioned in another comment, sometimes as the semi-official download site linked from the official site. It also had relatively reliable links, unlike vendor sites which reorganize their long unreliable URLs on a whim. Some of the Open Source projects I've worked on used download.com links when they needed to reference Windows programs people might need (generally the kinds of utilities that Linux users already have readily available, such as disk utilities). And until these recent incidents, it provided a safe place to download software without expecting to get something nasty along for the ride.

But... Why?

Posted Dec 8, 2011 8:49 UTC (Thu) by Comet (subscriber, #11646) [Link]

Trust.

If I'm a casual computer user, who has figured out that something hinky is going on and looking for a way to figure out what's happening and if I need to pay someone to clean my system, I'm not likely to know the names of all the tools in this problem space. I wouldn't know "nmap" from "apple juice".

But if there's a repository of software which has had some basic checks done and only includes legitimate, non-pirated, malware-scanned software, and I know the repository and use it repeatedly then I can build up trust in it. If I find software which seems interesting, I can check the trusted site for it. If they provide an index, I can even check there first, for software that can solve my problems.

I mean, why use Google's Android Market, when I can just enable installing from non-market sources and install .APK files from websites I've never heard of before? Why install the Amazon market, instead of just going direct?

There is clearly a place in the software distribution ecosystem for marketplace intermediaries who can build up reputation and trust in their own right, so that end-users do not need to become subject domain experts to know who to trust as a source of software to run on their computer/phone/tablet/brain-implant/...

And just as clearly, trust can be abused and the marketplace can react accordingly to the betrayal.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 19:20 UTC (Tue) by s0f4r (guest, #52284) [Link]

Microsoft has money, so, any lawyer should be jumping to file suit for you. Cheers.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 19:37 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] (13 responses)

A DMCA takedown notice could be filed by the copyright holder.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 6, 2011 20:47 UTC (Tue) by ikm (guest, #493) [Link] (12 responses)

I wonder how is this related to DMCA exactly? I've always thought DMCA was about preventing protection circumvention.

DMCA

Posted Dec 6, 2011 21:03 UTC (Tue) by corbet (editor, #1) [Link] (11 responses)

Anti-circumvention is only one part of the DMCA. There's also a lot of rules regarding hosting of content that violates copyright or trademark rights and the ways to get that content taken down.

DMCA

Posted Dec 6, 2011 21:35 UTC (Tue) by job (guest, #670) [Link]

I believe you're not even allowed to link to web pages that distribute infringing software (from what I remember of the DeCSS case). Considering the amount of links to this particular site, that's a whole lot of money up for grabs for someone with the necessary legal skills. Any takers? ;-)

DMCA

Posted Dec 6, 2011 23:18 UTC (Tue) by cmccabe (guest, #60281) [Link] (9 responses)

The nmap copyright license looks "interesting." http://nmap.org/book/man-legal.html

It's GPLv2, but with some additional provisions:

> To avoid misunderstandings, we consider an application to constitute a
> “derivative work” for the purpose of this license if it does any of
> the following:
>
> Integrates source code from Nmap
>
> Reads or includes Nmap copyrighted data files, such as nmap-os-db or
> nmap-service-probes.
>
> Executes Nmap and parses the results (as opposed to typical shell or
> execution-menu apps, which simply display raw Nmap output and so are not
> derivative works.)
>
> Integrates/includes/aggregates Nmap into a proprietary executable
> installer, such as those produced by InstallShield.
>
> Links to a library or executes a program that does any of the above.

I mean technically, when you run nmap on Windows, the Windows kernel is loading the nmap binary, which is an nmap-copyrighted file, and executing that binary. "Parsing the results" is a poorly defined term, but it seems clear that there is a back and forth flow of data between the kernel and nmap. Does that mean using nmap on Windows in the first place is a copyright violation? Or if you run nmap in a non-GPLv2 shell and pipe it to grep, is that a license violation? Also, arguably this is an "additional restriction" which the GPL forbids.

I don't think it's even possible to redefine what a "derived work" is inside your license. Isn't that a fundamental part of copyright law, defined in 17 U.S.C. § 101?

These guys sure do know security inside and out, but I'm not optimistic about how well this particular license would hold up in court.

The trademark violation, on the other hand, seems a lot more clear-cut. They should just enforce their trademark. Of course, then Debian will declare it non-free and come out with IceWeaselMap... but that's ok :)

DMCA

Posted Dec 7, 2011 1:09 UTC (Wed) by ewan (guest, #5533) [Link] (6 responses)

It's GPLv2, but with some additional provisions:

No, it GPLv2 plus one exception for OpenSSL. The 'clarifications' are just information about how the authors interpret the phrase 'derived work'. Their interpretation may or may not be correct, but they're not saying that you have to accept their interpretation to get a licence, they're just telling you what it is.

I mean technically, when you run nmap on Windows, the Windows kernel is loading the nmap binary, which is an nmap-copyrighted file, and executing that binary.

You can run GPLv2 software on a proprietary OS - standard OS components are specifically exempted.

I don't think it's even possible to redefine what a "derived work" is inside your license. Isn't that a fundamental part of copyright law, defined in 17 U.S.C. § 101?

US law doesn't hold everywhere, of course, but you're right - the term means what it means, it cannot be redefined, and isn't being.

I'd have thought that the obvious GPL claim here would be that the file that CNet are distributing is clearly a derived work ('interesting' interpretations of that term not withstanding), and so they cannot distribute it unless they make the source to their malware available under the GPL as well.

DMCA

Posted Dec 7, 2011 7:18 UTC (Wed) by jku (subscriber, #42379) [Link] (1 responses)

Fyodor doesn't seem to agree with you. I have no idea how that would work but he quite clearly believes the clarifications are part of the license.

DMCA

Posted Dec 7, 2011 11:03 UTC (Wed) by Wol (subscriber, #4433) [Link]

The problem is that "derivative work" is NOT a legally clear term.

So this "clarification" may not stand up in a court of law, but it places distributors on clear notice as to the copyright holder's understanding of the law.

If a term is legally ambiguous, but the defendant knew up-front the interpretation the plaintiff placed on it, then the defendant cannot argue "innocent mistake". They *have* to argue "plaintiff is wrong", which is a lot harder. The "as I understand the law" defence is a lot harder if the plaintiff says "but I told you that's not the way I understand it".

Cheers,
Wol

DMCA

Posted Dec 7, 2011 10:14 UTC (Wed) by Los__D (guest, #15263) [Link] (1 responses)

No, it GPLv2 plus one exception for OpenSSL. The 'clarifications' are just information about how the authors interpret the phrase 'derived work'. Their interpretation may or may not be correct, but they're not saying that you have to accept their interpretation to get a licence, they're just telling you what it is.

Fyodor doesn't agree with you (even though I do):
This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't).

DMCA

Posted Dec 7, 2011 11:35 UTC (Wed) by ewan (guest, #5533) [Link]

Interesting, but I'd have thought the plain GPL did that just fine - the installer binary is clearly a derived work of nmap since it includes the whole thing, and can't reasonably be considered 'mere aggregation [...] on a volume of a storage or distribution medium', so the GPL would prohibit redistribution of the whole unless the other components were available under the GPL as well, which seems to be exactly what Fyodor suggests is the intended behaviour of the licence.

DMCA

Posted Dec 7, 2011 19:12 UTC (Wed) by cmccabe (guest, #60281) [Link] (1 responses)

> > I mean technically, when you run nmap on Windows, the Windows kernel
> > is loading the nmap binary, which is an nmap-copyrighted file, and
> > executing that binary.

> You can run GPLv2 software on a proprietary OS - standard OS components
> are specifically exempted.

Good point.

Clearly the malware needs to patch the OS somehow during the install, so that they can legally be in the clear. Microsoft toolbar / nmap parser kernel module, anyone?

People really have to learn to stop downloading from shady third-party repositories... just don't do it.

DMCA

Posted Dec 7, 2011 22:25 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Sure, people shouldn't do it, but this is just exploiting a trust relationship.

The more certain you are that organisation (or person) X won't abuse your trust of them, the more valuable it is for X to sell you out to the bad guys, or if X won't sell, the more valuable it is to impersonate X by any means necessary.

DMCA

Posted Dec 7, 2011 9:59 UTC (Wed) by gidoca (subscriber, #62438) [Link]

I think it's quite clear that what the Windows kernel does is analogous in nature to the "typical shell or execution-menu apps", which they explicitly exclude.

DMCA

Posted Dec 7, 2011 14:45 UTC (Wed) by fuhchee (guest, #40059) [Link]

"we consider an application to constitute a “derivative work”"

That's fine, but the concept of "derivative work" is not up to the fashions of the developer, but up to law.

C|Net Download.Com accused of bundling Nmap with malware

Posted Dec 7, 2011 12:33 UTC (Wed) by robbe (guest, #16131) [Link]

JoeBuck suggested using the DMCA. But as this is also a trademark violation, I am more reminded of this:
http://arstechnica.com/tech-policy/news/2011/11/us-judge-...
Wouldn't it be nice if download.com was handed over to the nmap team? The ad revenues of one month should cover any legal fees, plus fund nmap development for a couple of years.


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds