[fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]

With permission....

----- Forwarded message from Fyodor <fyodor@insecure.org> -----

Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer.

Of course the problem is that users often just click through installer
screens, trusting that download.com gave them the real installer and
knowing that the Nmap project wouldn't put malicious code in our
installer. Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the
software performs! The worst thing is that users will think we (Nmap
Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer
in action. Note how they use our registered "Nmap" trademark in big
letters right above the malware "special offer" as if we somehow
endorsed or allowed this. Of course they also violated our trademark
by claiming this download is an Nmap installer when we have nothing to
do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS! And we never thought Microsoft would be sponsoring this

It is worth noting that C|Net's exact schemes vary. Here is a story
about their shenanigans:


It is interesting to compare the trojaned VLC screenshot in that
article with the Nmap one I've attached. In that case, the user just
clicks "Next step" to have their machine infected. And they wrote
"SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is
telling that they decided to remove that statement in their newer
trojan installer. In fact, if we UPX-unpack the Trojan CNet
executable and send it to VirusTotal.com, it is detected as malware by
Panda, McAfee, F-Secure, etc:


According to Download.com's own stats, hundreds of people download the
trojan Nmap installer every week! So the first order of business is
to notify the community so that nobody else falls for this scheme.
Please help spread the word.

Of course the next step is to go after C|Net until they stop doing
this for ALL of the software they distribute. So far, the most they
have offered is:

  "If you would like to opt out of the Download.com Installer you can
   submit a request to cnet-installer@cbsinteractive.com. All opt-out
   requests are carefully reviewed on a case-by-case basis."

In other words, "we'll violate your trademarks and copyright and
squandering your goodwill until you tell us to stop, and then we'll
consider your request 'on a case-by-case basis' depending on how much
money we make from infecting your users and how scary your legal
threat is.

F*ck them! If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Also, shame on Microsoft for paying C|Net to trojan open source


----- End forwarded message -----

F*ck them! If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Hmm -- did you say "copyright"? I wonder what would happen if you sent
them a DMCA takedown notice. To quote Salvor Hardin, "It's a poor atom
blaster that doesn't point both ways." (And there's another Hardin
quote that seems particularly apt when talking about wielding the DMCA:
"Never let your sense of morals prevent you from doing what is right.")

    --Steve Bellovin, Steven M. Bellovin


F*ck them! If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Larry Lessig? Mike Godwin?

Might as well start at the top, dude.

-- jra

Using fruitful language and acting like a child isn't going to see you taken seriously.


Using fruitful language and acting like a child isn't going to see you taken seriously.

No, he *does* want fruitful language - one that produces results. I think you meant
some other word instead.

As far as "acting like a child", I'm reasonably sure that if CNet was doing the
same thing to the good name of your consulting company, you'd react similarly.

----- Forwarded message from Fyodor <fyodor@insecure.org>

On the other hand, just being Fyodor is sufficient to get him taken seriously.

Not that anyone cares but personally, I'm happy fyodor posted this and I'm forwarding it to anyone that I think might use download.com. I think it's crap anyone changes anyone's code like that

Maybe it's just me, but I would think that simply getting them listed on
stopbadware.org and other similar sites would probably have much more of an
The bad publicity can cause them to change tactics, but it takes some time.
I've seen much quicker results from blacklisting on Google and other search


Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222


Its already getting some press...

He could always send them a Cease and Desist letter like Wireshark had to


I've reported it as a malware site via Firefox. Have you?

But the whole site should be scanned for other/similar malware, and blocked
accordingly. Probably a harder problem, as it gives different downloads
depending on browser and OS.

Per the Krebs on Security link that Kyle just posted (and beat me to it),
the installer is already flagged as malware by a number of different scanners.

    --Steve Bellovin, https://www.cs.columbia.edu/~smb

It could be argued that Nmap is malware, and such software has already been called to be made illegal.

If I was Cnet, I would stop distributing his software altogether.

Link: http://nmap.org/book/legal-issues.html


That's a stretch. Malware generally, IMHO, means software which does something other than what it claims to do.

I don't believe that nmap does anything other than what it claims. I understand you may not like the idea of having such a tool available to users of your network. Personally, I'd rather that the users had access to such a tool than live without it myself. Kind of a double-edged sword, I know, but, nmap is a tool. In and of itself, neither bad nor good. Malice is in the intent of the user.

This distinguishes it from malware in that with malware, malice is in the intent of the author and not the user. Malware, once installed, does what its author wants it to do regardless of the intent of the user.

Sure, you can do things with nmap that are at best antisocial and at worst potentially illegal.

I can do things with a Bowie Knife that are as well.

However, used properly in the right context, both can be very useful tools.

I don't think we should outlaw either one. Then again, I'm rather liberal in that regard. I believe that we should not ban something if it has both legitimate and nefarious uses, but, rather, should only ban those things which pose a public hazard and have no legitimate use.

I suspect that he would rather Cnet stop distributing his software altogether than do what they are doing.

I appreciate the warning and have stopped using CNET as a result.


It could be argued that Nmap is malware, and such software has already
been called to be made illegal.

If I was Cnet, I would stop distributing his software altogether.

Link: Legal Issues | Nmap Network Scanning

It could. But making such an argument calls the arguer's grasp of reality into question. Nmap is a tool, like any other. It has no more ethical value than a nail gun or a hammer. In the hands of an engineer, it is a valuable addition to a toolkit. In the hands of an attacker, it can become a weapon.

If it could be argued that Nmap is malware, then it could be argued that hammers are weapons; therefore, we should call on Home Depot to stop carrying these deadly instruments with all due alacrity - or at least have governments step in and create licensing programs for hand tools.

Nathan Eisenberg

I'm pretty sure nmap is the exact opposite of Malware.

It's an essential information security tool.


Reach out to the Free Software Foundation and EFF. They may not be
able to help directly, but I'm sure that they could put you in touch
with some pro bono legal experts that could give you the right advice
on how to act.

As mentioned, both Lessig, and Eben Moglen, would be good starting points.

Having seen the previous owner of my house's cabinet building skills, and living with them, I'm all for licensing!

Called by whom, other than yourself?



There's a big difference between "hacking tools" and malware.

Edward Dore
Freethought Internet

If this is not trolling and you actually believe this, just wow.....

Nmap is just a tool, and any tool can be misused by people for criminal acts.
It's really no different than a gun in that regard. Both are incredibly
useful things in the right hands, mere tools to further security. However in
the wrong hands they can be used to commit crimes and break other peoples

A trojan can be used for good if in the right hands as a remote access tool for business use.