Has Download.com become Desolation Boulevard?
Seclists.org has some interesting comments this morning about hidden malware on Cnet's popular Download.com.
Gordon Lyon, more commonly known on the Internet as Fyodor, runs the Internet security resource sites Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org and maintains the Nmap Security Scanner.
On Seclists.org, he writes of what he sees as a growing cesspool on the popular Download.com site:
I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer.
Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer.
Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!
Fyodor notes that he's not the only one to have come across this problem. Lee Mathews, an IT admin based in Manitoba, wrote about his own findings on the ExtremeTech site back in August. He wrote:
There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.
At Download.com, page designs have been repeatedly tweaked over the years to push its updater software (now called TechTracker), TrialPay offers, and the site’s mailing list. Bothersome, perhaps, but certainly not inexcusable. They’ve got to make money off the site somehow, after all, and banner ads don’t always do the job. Now, things have taken a turn for the worse: Cnet has begun wrapping downloads in a proprietary installer.
Wrapping installers is a terrible practice. For one thing, it can be a violation of a program’s distribution terms — but Download.com has no doubt ensured that its TOS states that if you let them mirror your files you’re giving them free reign. It’s also a serious slap in the face to users, who wind up not with a clean, genuine version of the installer they tried to download but a modified beast that shoves toolbars, home page, and default search engines changes down their throats.
But it gets worse. Cnet knows that there’s something wrong with what they’re doing, and they’re trying to deceive developers and users. On the Upload.com FAQ, there’s a note posted to let developers know why the bundling is taking place: “for the users.” Yes, Cnet thinks we’re clueless enough to believe that their motivation is really to provide users with a less painful download and installation process. Because opt-out toolbars and homepage changes make software setup less annoying.
Here's the full FAQ from Cnet on this practice:
1. What is the CNET Download.com Installer?
The CNET Download.com Installer is a tiny ad-supported stub installer or “download manager” that helps securely deliver downloads from Download.com’s servers to the user's device. The user is guaranteed that the file they install came from Download.com's servers, and the simple and easy to follow steps help ensure that they complete their download and install the software.
2. Why is Download.com making this change?
Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Download.com Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software's installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.
3. How does the Download.com Installer improve the download experience?
By downloading with the Download.com Installer the user is guaranteed that the file they install on their system came directly from Download.com. Only software that is tested spyware-free and hosted on Download.com's secure servers may be delivered via the Installer.
In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.
Finally, Download.com is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Download.com Software Policies.
4. Is all software on Download.com delivered via the Installer?
No. The Download.com Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.
5. Is my direct download URL still available?
Yes. Users who wish to bypass the Download.com Installer may do so via the direct HTTP download URL that is provided below the main “Download Now” button. At this time we require users to be registered and logged in to access the direct download link.
6. Why are users seeing offers for additional software during the download?
The Download.com Installer is supported by offers for additional 3rd-party software. Users will encounter a single offer during their download, which is clearly disclosed and provides the option to accept or decline it before proceeding with the download. We only show offers for software that is approved for listing on Download.com has undergone additional screening to ensure compliance with the Download.com Software Policies.
7. Are any additional items installed on the users machine?
The Download.com Installer does not install itself on the user's system and does not leave behind and additional components. If the user accepts an offer for 3rd-party software during their download the additional items that they've agreed to will be installed on their system.
8. Will there be additional reporting available with the Download.com Installer?
Yes. The Download.com Installer allows us to have a more comprehensive view of the download funnel, from the click on the Download Now button to the completion of download and installation of file. We expect to have these additional reporting metrics available via the Upload.com reports.
9. Can I opt out of the CNET Download.com Installer?
Print
Gordon Lyon, more commonly known on the Internet as Fyodor, runs the Internet security resource sites Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org and maintains the Nmap Security Scanner.
On Seclists.org, he writes of what he sees as a growing cesspool on the popular Download.com site:
I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer.
Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer.
Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!
Fyodor notes that he's not the only one to have come across this problem. Lee Mathews, an IT admin based in Manitoba, wrote about his own findings on the ExtremeTech site back in August. He wrote:
There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.
At Download.com, page designs have been repeatedly tweaked over the years to push its updater software (now called TechTracker), TrialPay offers, and the site’s mailing list. Bothersome, perhaps, but certainly not inexcusable. They’ve got to make money off the site somehow, after all, and banner ads don’t always do the job. Now, things have taken a turn for the worse: Cnet has begun wrapping downloads in a proprietary installer.
Wrapping installers is a terrible practice. For one thing, it can be a violation of a program’s distribution terms — but Download.com has no doubt ensured that its TOS states that if you let them mirror your files you’re giving them free reign. It’s also a serious slap in the face to users, who wind up not with a clean, genuine version of the installer they tried to download but a modified beast that shoves toolbars, home page, and default search engines changes down their throats.
But it gets worse. Cnet knows that there’s something wrong with what they’re doing, and they’re trying to deceive developers and users. On the Upload.com FAQ, there’s a note posted to let developers know why the bundling is taking place: “for the users.” Yes, Cnet thinks we’re clueless enough to believe that their motivation is really to provide users with a less painful download and installation process. Because opt-out toolbars and homepage changes make software setup less annoying.
Here's the full FAQ from Cnet on this practice:
1. What is the CNET Download.com Installer?
The CNET Download.com Installer is a tiny ad-supported stub installer or “download manager” that helps securely deliver downloads from Download.com’s servers to the user's device. The user is guaranteed that the file they install came from Download.com's servers, and the simple and easy to follow steps help ensure that they complete their download and install the software.
2. Why is Download.com making this change?
Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Download.com Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software's installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.
3. How does the Download.com Installer improve the download experience?
By downloading with the Download.com Installer the user is guaranteed that the file they install on their system came directly from Download.com. Only software that is tested spyware-free and hosted on Download.com's secure servers may be delivered via the Installer.
In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.
Finally, Download.com is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Download.com Software Policies.
4. Is all software on Download.com delivered via the Installer?
No. The Download.com Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.
5. Is my direct download URL still available?
Yes. Users who wish to bypass the Download.com Installer may do so via the direct HTTP download URL that is provided below the main “Download Now” button. At this time we require users to be registered and logged in to access the direct download link.
6. Why are users seeing offers for additional software during the download?
The Download.com Installer is supported by offers for additional 3rd-party software. Users will encounter a single offer during their download, which is clearly disclosed and provides the option to accept or decline it before proceeding with the download. We only show offers for software that is approved for listing on Download.com has undergone additional screening to ensure compliance with the Download.com Software Policies.
7. Are any additional items installed on the users machine?
The Download.com Installer does not install itself on the user's system and does not leave behind and additional components. If the user accepts an offer for 3rd-party software during their download the additional items that they've agreed to will be installed on their system.
8. Will there be additional reporting available with the Download.com Installer?
Yes. The Download.com Installer allows us to have a more comprehensive view of the download funnel, from the click on the Download Now button to the completion of download and installation of file. We expect to have these additional reporting metrics available via the Upload.com reports.
9. Can I opt out of the CNET Download.com Installer?
Previous Post: Lesson of the Carrier IQ firestorm: Vendors must change their waysNext Post: RSA panel to ponder risks, benefits of Big Data
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
