Eikonal Blog

2011.12.06

C|Net’s Download.Com trojans

Filed under: antimalware, antivirus, infosec — Tags: , , , , , , , , — sandokan65 @ 09:29
  • “C|Net Download.Com is now bundling Nmap with malware!” by Fyodor (nmap-hackrs email list; 2011.12.05):

    From: nmap-hackers-bounces@insecure.org On Behalf Of Fyodor
    Sent: Monday, December 2011.12.05 17:36
    To: nmap-hackers@insecure.org
    Subject: C|Net Download.Com is now bundling Nmap with malware!
    
    Hi Folks.  I've just discovered that C|Net's Download.Com site has started wrapping their
    Nmap downloads (as well as other free software like VLC) in a trojan installer which does 
    things like installing a sketchy "StartNow" toolbar, changing the user's default search 
    engine to Microsoft Bing, and changing their home page to Microsoft's MSN.
    
    The way it works is that C|Net's download page (screenshot attached) offers what they 
    claim to be Nmap's Windows installer.  They even provide the correct file size for our 
    official installer.  But users actually get a Cnet-created trojan installer.  That program 
    does the dirty work before downloading and executing Nmap's real installer.
    
    Of course the problem is that users often just click through installer screens, trusting 
    that download.com gave them the real installer and knowing that the Nmap project wouldn't 
    put malicious code in our installer.  Then the next time the user opens their browser, 
    they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as 
    their home page, and whatever other shenanigans the software performs!  The worst thing is 
    that users will think we (Nmap Project) did this to them!
    
    I took and attached a screen shot of the C|Net trojan Nmap installer in action.  Note how 
    they use our registered "Nmap" trademark in big letters right above the malware "special 
    offer" as if we somehow endorsed or allowed this.  Of course they also violated our 
    trademark by claiming this download is an Nmap installer when we have nothing to do with 
    the proprietary trojan installer.
    
    In addition to the deception and trademark violation, and potential violation of the 
    Computer Fraud and Abuse Act, this clearly violates Nmap's copyright.  This is exactly why 
    Nmap isn't under the plain GPL.
    
    Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding 
    software which "integrates/includes/aggregates Nmap into a proprietary executable 
    installer" unless that software itself conforms to various GPL requirements (this 
    proprietary C|Net download.com software and the toolbar don't).  We've long known that 
    malicious parties might try to distribute a trojan Nmap installer, but we never thought it 
    would be C|Net's Download.com, which is owned by CBS!  And we never thought Microsoft 
    would be sponsoring this activity!
    
    It is worth noting that C|Net's exact schemes vary.  Here is a story about their 
    shenanigans:
    
    http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
    
    It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one 
    I've attached.  In that case, the user just clicks "Next step" to have their machine 
    infected.  And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar.  
    It is telling that they decided to remove that statement in their newer trojan installer.  
    In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is 
    detected as malware by Panda, McAfee, F-Secure, etc:
    
    http://bit.ly/cnet-nmap-vt
    
    According to Download.com's own stats, hundreds of people download the trojan Nmap 
    installer every week!  So the first order of business is to notify the community so that 
    nobody else falls for this scheme.
    
    Please help spread the word.
    
    Of course the next step is to go after C|Net until they stop doing this for ALL of the 
    software they distribute.  So far, the most they have offered is:
    
      "If you would like to opt out of the Download.com Installer you can
       submit a request to cnet-installer@cbsinteractive.com. All opt-out
       requests are carefully reviewed on a case-by-case basis."
    
    In other words, "we'll violate your trademarks and copyright and squandering your goodwill 
    until you tell us to stop, and then we'll consider your request 'on a case-by-case basis' 
    depending on how much money we make from infecting your users and how scary your legal 
    threat is.
    
    [...]
    

  • “Does CNET Download.com’s new installer install malware?” (HighTechReality.com blog; 2011.08.30) – http://hightechreality.com/2011/08/cnet-downloadcoms-installer-install-malware/
  • “Download.com wraps downloads in bloatware, lies about motivations” by Lee Mathews (2011.08.22) – http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations
      There was a time long, long ago when Download.com was the place I went for software. It’s been years, however, as the site repeatedly showed signs of devolving into a site every bit as bothersome as the many third-tier software repositories that hide genuine links below clever-placed advertisements and bundle toolbars with their “certified” local downloads.
  • Download.com Caught Adding Malware to Nmap & Other Software – http://insecure.org/news/download-com-fiasco.html

Related: “SourceForge has lost its common sense” – https://eikonal.wordpress.com/2015/06/03/sourceforge-has-lost-its-common-sense/

2011.05.02

Antimalware for Unix

Filed under: antimalware, antispyware, antivirus, infosec, unix — sandokan65 @ 14:33

2011.02.28

Personal computer security

Anti-mallware (=Antivirus)

Misc:

Anti-spyware

Misc:

Anti-Rootkit / Rootkit detection

  • Trend Micro’s RootkitBuster – http://free.antivirus.com/rootkit-buster/
      A rootkit scanner that offers ability to scan for hidden files, registry entries, processes, drivers and hooked system services, and MBR. It also includes the cleaning capability for hidden files and registry entries. Master Boot Record (MBR) rootkit detection, gives RootkitBuster the ability to detect hidden MBR content. It can spot all variants of MBR rootkit in the wild. MBR rootkits first began appearing in the wild late 2007. New variants continue to appear.
  • Trend Micro’s RUBotted – http://free.antivirus.com/rubotted/:
      Malicious software called Bots can secretly take control of computers and make them participate in networks called “Botnets.” These networks can harness massive computing power and Internet bandwidth to relay spam, attack web servers, infect more computers, and perform other illicit activities. RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.
  • Sophos Anti RookKit – http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
  • chrootkit – http://www.chkrootkit.org/ (MAC and many linux/unix versions)
  • GMER – http://www.gmer.net/ – (Windows)

Email security

File and container/volume encryption

“Secure” file erasure

Privacy cleaners

Steganography

Passwords management

Host-based (aka “Personal”) firewalls

More on this blog: IpTables – https://eikonal.wordpress.com/2011/01/24/iptables/ | Port Knocking – https://eikonal.wordpress.com/2010/10/05/port-knocking/ | Firewalls – https://eikonal.wordpress.com/2012/05/04/firewalls/

Web proxies

Related:

Process scanners

2010.07.28

Security tools

2011.02.28: This post was getting too large, so I broke it into smaller pieces:


There are still some smaller islands of content that do not yet deserve separate postings:

Patch Management

  • GFI Languard
  • NSS
  • Lumension
  • EndPoint

Sites:

IT Management

Datamining / logs management

Password analysis

Various collections

Misc


Sources:


See also local info at this blog:

Blog at WordPress.com.