Geekcentricity Tech Alert: Download.com Bundling Adware With Free Software

In a post to the Nmap Hackers list Nmap author Fyodor accuses Download.com of wrapping a trojan installer (as detected by various AV applications when submitted to VirusTotal) around software including Nmap and VLC Media Player. The C|Net installer bundles a toolbar, changes browser settings, and, potentially, performs other shenanigans — all under the logo of the application the user thought they might have been downloading. Apparently, this isn’t the first time they have done this, either.

Hi Folks. I’ve just discovered that C|Net’s Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy “StartNow” toolbar, changing the user’s default search engine to Microsoft Bing, and changing their home page to Microsoft’s MSN.

The way it works is that C|Net’s download page (screenshot attached) offers what they claim to be Nmap’s Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap’s real installer.

Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

The Electronic Frontier Foundation has several suggestions for what they should do now.

And if you’ve downloaded their installer, I suggest you remove it. Right now!

So, CNET, here’s what you need to do to really make it right:

Stop bundling adware into your installer. Failing that,

1. Rewrite your adware policy to admit that Download.com no longer has a “zero tolerance” policy for bundled adware, and make the change public, so users and developers know about it.
2. If you are going to allow ads, make sure they are not deceptive. This means it should be very clear that the ad is entirely separate from the install process (and no “accept” buttons where “next step” should be), and that the developer of the software the user actually wants has nothing to do with the advertised app.
3. Clean up the mess: prominently offer, on the front page of the Download.com site and as part of the ads themselves, to assist users with uninstalling any advertised software they may have unknowingly installed.
4. Right now, many users won’t know they can download the software without the adware. Direct download should be the default process, and users who choose to use the Download.com installer should know, before they do, that the process will include advertising or other software they might not want.
5. Until the “opt-in” procedure is well-established, cease bundling adware for commercial as well as open source applications.

https://www.eff.org/deeplinks/2011/12/downloadcom-debacle-what-cnet-needs-do-make-it-right