Wednesday, December 7, 2011

Avoid - some downloads include malware toolbars

Apparently the change started this summer.  I usually choose to download from other sources, and since I have scripting disabled when I browse, even when I chose to get software from CNet's site I never saw this.  But other bloggers are reporting this, and it has been confirmed.  DO NOT USE DOWNLOAD.COM to get any downloads until this is corrected.  If you need to know where to get something that tells you to get it from, email me and I'll find an alternate source. Bundling Toolbars, Trojans? — Krebs on Security
It wasn’t long ago that I felt comfortable recommending CNET‘s as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

This has also been reported by other security bloggers:

No comments: