C|Net packaging Trojan with Downloads of nmap


Mar 31, 2003
Just got this E-Mail from the nmap listserv. Beware everyone... this "wrapper" could be packaged with more software.

Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)
offers what they claim to be Nmap's Windows installer. They even
provide the correct file size for our official installer. But users
actually get a Cnet-created trojan installer. That program does the
dirty work before downloading and executing Nmap's real installer.

Of course the problem is that users often just click through installer
screens, trusting that download.com gave them the real installer and
knowing that the Nmap project wouldn't put malicious code in our
installer. Then the next time the user opens their browser, they
find that their computer is hosed with crappy toolbars, Bing searches,
Microsoft as their home page, and whatever other shenanigans the
software performs! The worst thing is that users will think we (Nmap
Project) did this to them!

I took and attached a screen shot of the C|Net trojan Nmap installer
in action. Note how they use our registered "Nmap" trademark in big
letters right above the malware "special offer" as if we somehow
endorsed or allowed this. Of course they also violated our trademark
by claiming this download is an Nmap installer when we have nothing to
do with the proprietary trojan installer.

In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS! And we never thought Microsoft would be sponsoring this

It is worth noting that C|Net's exact schemes vary. Here is a story
about their shenanigans:


It is interesting to compare the trojaned VLC screenshot in that
article with the Nmap one I've attached. In that case, the user just
clicks "Next step" to have their machine infected. And they wrote
"SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is
telling that they decided to remove that statement in their newer
trojan installer. In fact, if we UPX-unpack the Trojan CNet
executable and send it to VirusTotal.com, it is detected as malware by
Panda, McAfee, F-Secure, etc:


According to Download.com's own stats, hundreds of people download the
trojan Nmap installer every week! So the first order of business is
to notify the community so that nobody else falls for this scheme.
Please help spread the word.

Of course the next step is to go after C|Net until they stop doing
this for ALL of the software they distribute. So far, the most they
have offered is:

"If you would like to opt out of the Download.com Installer you can
submit a request to cnet-installer@cbsinteractive.com. All opt-out
requests are carefully reviewed on a case-by-case basis."

In other words, "we'll violate your trademarks and copyright and
squandering your goodwill until you tell us to stop, and then we'll
consider your request 'on a case-by-case basis' depending on how much
money we make from infecting your users and how scary your legal
threat is.

F*ck them! If anyone knows a great copyright attorney in the U.S.,
please send me the details or ask them to get in touch with me.

Also, shame on Microsoft for paying C|Net to trojan open source




Elite Member
Oct 9, 1999
I think Fyodor may be jumping to conclusions about Microsoft's level of involvement. For starters, MS has a long-standing partnership with NBC, so partnering with CBS in such a way may have legal ramifications. Of course, this is just speculation.

This practice certainly isn't new. For example, Patchou bundled LOP with his Messenger Plus! program to make a few bucks. On the more insidious side, Sony/BMG silently installed rootkits on tens of millions of machines.

When you install Windows Live Essentials, several of the "essentials" that are default installer options is the Bing Bar, default search engine change, and homepage change. But after the painfully long install routine, it's made pretty damn obvious to the customer that they have multiple apps, options and system changes to choose from...nothing is hidden.

So my thinking is that download.com is thinking about making a few bucks, but don't want to saddle their customers with one of the "sketchy" toolbars that spy and cannot be uninstalled, etc. They get a little chunk of change for each machine they send Microsoft's way, and MS isn't aware of the back-handed way they are going about it...they just cut a check.

But I have a feeling MS knows about it, and is doxing. When they're finished, they'll probably send a politely worded threat of litigation.


Platinum Member
May 21, 2003
I can confirm that there are lots of packages on cnet & download.com like this. You download what is advertised as your desired package, but in fact is an adware installer (or worse) that downloads the package you wanted after installing the adware.

The guy behind foobar2000 had a similar rant about them a few years ago.