- “C|Net Download.Com is now bundling Nmap with malware!” by Fyodor (nmap-hackrs email list; 2011.12.05):
From: firstname.lastname@example.org On Behalf Of Fyodor
Sent: Monday, December 2011.12.05 17:36
Subject: C|Net Download.Com is now bundling Nmap with malware!
Hi Folks. I've just discovered that C|Net's Download.Com site has started wrapping their
Nmap downloads (as well as other free software like VLC) in a trojan installer which does
things like installing a sketchy "StartNow" toolbar, changing the user's default search
engine to Microsoft Bing, and changing their home page to Microsoft's MSN.
The way it works is that C|Net's download page (screenshot attached) offers what they
claim to be Nmap's Windows installer. They even provide the correct file size for our
official installer. But users actually get a Cnet-created trojan installer. That program
does the dirty work before downloading and executing Nmap's real installer.
Of course the problem is that users often just click through installer screens, trusting
that download.com gave them the real installer and knowing that the Nmap project wouldn't
put malicious code in our installer. Then the next time the user opens their browser,
they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as
their home page, and whatever other shenanigans the software performs! The worst thing is
that users will think we (Nmap Project) did this to them!
I took and attached a screen shot of the C|Net trojan Nmap installer in action. Note how
they use our registered "Nmap" trademark in big letters right above the malware "special
offer" as if we somehow endorsed or allowed this. Of course they also violated our
trademark by claiming this download is an Nmap installer when we have nothing to do with
the proprietary trojan installer.
In addition to the deception and trademark violation, and potential violation of the
Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why
Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding
software which "integrates/includes/aggregates Nmap into a proprietary executable
installer" unless that software itself conforms to various GPL requirements (this
proprietary C|Net download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but we never thought it
would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft
would be sponsoring this activity!
It is worth noting that C|Net's exact schemes vary. Here is a story about their
It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one
I've attached. In that case, the user just clicks "Next step" to have their machine
infected. And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.
It is telling that they decided to remove that statement in their newer trojan installer.
In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is
detected as malware by Panda, McAfee, F-Secure, etc:
According to Download.com's own stats, hundreds of people download the trojan Nmap
installer every week! So the first order of business is to notify the community so that
nobody else falls for this scheme.
Please help spread the word.
Of course the next step is to go after C|Net until they stop doing this for ALL of the
software they distribute. So far, the most they have offered is:
"If you would like to opt out of the Download.com Installer you can
submit a request to email@example.com. All opt-out
requests are carefully reviewed on a case-by-case basis."
In other words, "we'll violate your trademarks and copyright and squandering your goodwill
until you tell us to stop, and then we'll consider your request 'on a case-by-case basis'
depending on how much money we make from infecting your users and how scary your legal
- “Does CNET Download.com’s new installer install malware?” (HighTechReality.com blog; 2011.08.30) – http://hightechreality.com/2011/08/cnet-downloadcoms-installer-install-malware/
- “Download.com wraps downloads in bloatware, lies about motivations” by Lee Mathews (2011.08.22) – http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.
- Download.com Caught Adding Malware to Nmap & Other Software – http://insecure.org/news/download-com-fiasco.html
Related: “SourceForge has lost its common sense” – https://eikonal.wordpress.com/2015/06/03/sourceforge-has-lost-its-common-sense/
Related content at this blog:
Generating password hashes
- Generating unix-style MD5 hash: openssl passwd -1 -salt QIGCa pippo
- produces: $1$QIGCa$/ruJs8AvmrknzKTzM2TYE.
- generating password hash using system’s native crypt() command: perl -e ‘print crypt(“pippo”, “\$1\$QIGCa”),”\n”‘
- Using Python’s Passlib library (http://packages.python.org/passlib/):
- Install Python (e.g. in Cygwin)
- Install Passlib library following instructions at http://packages.python.org/passlib/install.html
- start Python: python
- Calculate the SHA256 hash of the word Password:
>>> from passlib.hash import sha256_crypt
>>> hash = sha256_crypt.encrypt("password")
>>> sha256_crypt.encrypt("password", rounds=12345)
>>> sha256_crypt.verify("password", hash)
>>> sha256_crypt.verify("letmeinplz", hash)
- Generating BouncyCastle SHA1-512 hashes for use in Atlassian JIRA:
>>> from passlib.hash import atlassian_pbkdf2_sha1
- Supported hashing algorithms:
- Archaic Unix Schemes:
- passlib.hash.des_crypt – DES Crypt
- passlib.hash.bsdi_crypt – BSDi Crypt
- passlib.hash.bigcrypt – BigCrypt
- passlib.hash.crypt16 – Crypt16
- Standard Unix Schemes:
- passlib.hash.md5_crypt – MD5 Crypt
- passlib.hash.bcrypt – BCrypt
- passlib.hash.sha1_crypt – SHA-1 Crypt
- passlib.hash.sun_md5_crypt – Sun MD5 Crypt
- passlib.hash.sha256_crypt – SHA-256 Crypt
- passlib.hash.sha512_crypt – SHA-512 Crypt
- Other Modular Crypt Schemes:
- passlib.hash.apr_md5_crypt – Apache’s MD5-Crypt variant
- passlib.hash.phpass – PHPass’ Portable Hash
- passlib.hash.pbkdf2_digest – Generic PBKDF2 Hashes
- passlib.hash.cta_pbkdf2_sha1 – Cryptacular’s PBKDF2 hash
- passlib.hash.dlitz_pbkdf2_sha1 – Dwayne Litzenberger’s PBKDF2 hash
- passlib.hash.scram – SCRAM Hash
- passlib.hash.bsd_nthash – FreeBSD’s MCF-compatible nthash encoding
- passlib.hash.unix_disabled – Unix Disabled Account Helper
- Standard LDAP (RFC2307) Schemes:
- passlib.hash.ldap_md5 – MD5 digest
- passlib.hash.ldap_sha1 – SHA1 digest
- passlib.hash.ldap_salted_md5 – salted MD5 digest
- passlib.hash.ldap_salted_sha1 – salted SHA1 digest
- passlib.hash.ldap_crypt – LDAP crypt() Wrappers
- passlib.hash.ldap_plaintext – LDAP-Aware Plaintext Handler
- Non-Standard LDAP Schemes:
- passlib.hash.ldap_hex_md5 – Hex-encoded MD5 Digest
- passlib.hash.ldap_hex_sha1 – Hex-encoded SHA1 Digest
- passlib.hash.ldap_pbkdf2_digest – Generic PBKDF2 Hashes
- passlib.hash.atlassian_pbkdf2_sha1 – Atlassian’s PBKDF2-based Hash
- passlib.hash.fshp – Fairly Secure Hashed Password
- passlib.hash.roundup_plaintext – Roundup-specific LDAP Plaintext Handler
- SQL Database Hashes:
- passlib.hash.mssql2000 – MS SQL 2000 password hash
- passlib.hash.mssql2005 – MS SQL 2005 password hash
- passlib.hash.mysql323 – MySQL 3.2.3 password hash
- passlib.hash.mysql41 – MySQL 4.1 password hash
- passlib.hash.postgres_md5 – PostgreSQL MD5 password hash
- passlib.hash.oracle10 – Oracle 10g password hash
- passlib.hash.oracle11 – Oracle 11g password hash
- MS Windows Hashes:
- passlib.hash.lmhash – LanManager Hash
- passlib.hash.nthash – Windows’ NT-HASH
- passlib.hash.msdcc – Windows’ Domain Cached Credentials
- passlib.hash.msdcc2 – Windows’ Domain Cached Credentials v2
- Other Hashes:
- passlib.hash.cisco_pix – Cisco PIX hash
- passlib.hash.cisco_type7 – Cisco “Type 7” hash
- passlib.hash.django_digest – Django-specific Hashes
- passlib.hash.grub_pbkdf2_sha512 – Grub’s PBKDF2 Hash
- passlib.hash.hex_digest – Generic Hexdecimal Digests
- passlib.hash.plaintext – Plaintext
- Cisco “Type 5” hashes
- Passphrase Hashes – http://www.users.zetnet.co.uk/hopwood/crypto/scan/ph.html
- Authenticators (= magic strings = marker strings): When a passphrase is verified, the first few characters of the authenticator [= “magic”] determine which mechanism is used:
- If the first character is not “$” or “_”, the traditional crypt3 is used. 2 chars salt. Only the first 8 chars of the passwords are used.
- “$1$”: MD5-crypt is used. [Linux, BSD]. Salt up to 8 chars long.
- “$2$”: Blowfish is used. [Linux] – OBSOLETE
- “$2a$”, bcrypt is used. NOTE: Some sources indicate use of Blowfish (OpenBSD) or eksblowfish.
- “$2x$” or “$2y$”, Blowfish is used.
- “$3$”, NT-hashman [FreeBSD] or depecated/broken SHA-256
- “$4$”, depecated/broken SHA-512
- “$5$”, SHA-256 [Linux]. Salt up to 16 chars long.
- “$6$”, SHA-512 [Linux]. Salt up to 16 chars long.
- Unknown: “$9$”, “$9a$”, $15abc$, $apr1$
- “$md5$”: Sun MD5
Passwords related postings at this blog:
Roles of PAM files
- /etc/pam.conf – all-in-one configuration file for early versions of PAM. It may still be used in some modern versions.
- /etc/pam.d/ – directory containing configurations files for each of separately configured program
- /etc/pam.d/other – the default config file regulating all files that do not have their own separate PAM config file
- /etc/pam.d/gdm – the GNOME Display Manager PAM file.
- Example (from http://ubuntuforums.org/showthread.php?t=1506759):
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
auth optional pam_gnome_keyring.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
Syntax of config files
Each line has format:
module-type control-flag module-path arguments
- pam_deny.so module –
- pam_permit.so module –
- pam_warn.so module – used to interface to syslog
- Report: “Dispelling the Myths Surrounding De-identification” (Anonymization can still work) by Lauren Weinstein (Lauren Buzz; 2011.06.16) – http://bit.ly/lbH5PE by Information and Privacy Commissioner of Canada [PDF]
“Recently, the value of de-identification of personal information as a tool to protect privacy has come into question. Repeated claims have been made regarding the ease of re-identification. We consider this to be most unfortunate because it leaves the mistaken impression that there is no point in attempting to de-identify personal information, especially in cases where de-identified information would be sufficient for subsequent use, as in the case of health research. The goal of this paper is to dispel this myth – the fear of re-identification is greatly overblown. As long as proper de-identification techniques, combined with re-identification risk measurement procedures, are used, de-identification remains a crucial tool in the protection of privacy.”
- AOL search data scandal (WikiPedia) – http://en.wikipedia.org/wiki/AOL_search_data_scandal
- “What the know” series of articles (The Wall Street Journal) – http://online.wsj.com/public/page/what-they-know-digital-privacy.html
- “The privacy covenant is an illusion: How to regain control” by Chad Perrin (Tech Republic; 2011.04.18) – http://www.techrepublic.com/blog/security/the-privacy-covenant-is-an-illusion-how-to-regain-control/5351?tag=nl.e036
Related pages here: Privacy and digital liberties – https://eikonal.wordpress.com/2010/11/01/privacy-and-digital-liberties/
|Personal computer security – https://eikonal.wordpress.com/2011/02/28/personal-computer-security/
| Online privacy tools – https://eikonal.wordpress.com/2010/12/25/online-privacy-tools/
| Unending stream of Facebook privacy news – https://eikonal.wordpress.com/2010/11/22/unending-stream-of-facebook-privacy-news/
| TSA folies – https://eikonal.wordpress.com/2010/11/16/tsa-folies/
Since recently Skype started peddling its new versions in a forceful way by downloading the update to the users PC, and then throwing the large update notification window to the desktop forefront. It is not possible to disable this behaviour. It is so annoying that I will probably switch to some alternative provider of online voip.