Drive-by Trojan Download: CNET Embraces the Dark Side

It appears that the draw of the almighty dollar has pulled CNET to the dark side. CNET is a popular technology news site with a download portal called where many users go to download software that are free, shareware and open source. The site built a reputation a while back as a dependable location for hosting software that was devoid of malicious content – trojan horses, adware, virus etc.

Apparently, that was then. Fyodor, the creator of nmap recently wrote a scathing article about how CNET has now become the very essence of a drive-by download – where you get a little more than you bargained for when you download software from a website. CNET has taken the concept to another level by actually reverse-engineering submitted software and injecting malicious content before presenting them to trusting users.

The article is a serious indictment on CNET for abusing the trust placed on them by millions of users and the software developers who are kind enough to create a program and give it to users for free. By monetizing the hard work of these developers without their knowledge (unless they are willing to pay a “premium fee), it is not far-fetched to accuse CNET of “stealing”. It is just now, after they were outed that there is talk of ” giving the developers a cut” of the money they’ve been raking in from dropping trojans and adware on the computers of millions of unsuspecting users, including kids, for crying out loud.

Why is this a problem? We know that most users click through installation prompts without bothering to read, and this is exactly what CNET was taking advantage of, until they messed with Wireshark and NMap.

The unethical nature of it is that while CNET was raking in millions of dollars, the creators of the software they were reverse-engineering were catching grief for infecting users’ computers with bogus web browser toolbars, home pages and adware that could very well have leaked private information.

As Alan Shimel of networkworld explains it, here’s how these “wrappers” work:
“[W]hen you click to download software from their site (which is software developed by others), they are “wrapping” it in their own installers.  This C/Net installer will either ask you (if they are polite) or in some cases not so obviously install other 3rd party software on your computer.  Things like web toolbars, alternate search engines and other programs that usually pay money for every copy that gets installed.”

Is this practice limited to just CNET? Not by a long shot, but most do it on the website – like when you are presented with the download button for something different than what you originally wanted to download. The argument is always that ” this is to help us pay the bills”. No one is arguing with the need to generate revenue. It is the deceptive way in which that goal is being achieved that is drawing some angst. There is a difference between giving the user an option to install a toolbar and respecting the choice when the user selects “No”, and installing a toolbar, changing the home page and dropping adware on a user’s computer through a deceptive “accept” button.

Then there is the other part of the equation – the enablers of CNET’s unethical behavior. The parties who were encouraging CNET to bundle toolbars, browsers, search engines etc. in the software they were hosting should also be ashamed of their dirty tricks.

It is important to remind users to take the time to read the dialog boxes that pop up when trying to install an application:

  • If available, always choose the “Custom” option so you can at least see what other crap is going to be dumped on your computer by the installer. In most cases, you can decline or uncheck the box for items you do not want.
  • After the installation, go through the “add/remove” (Windows XP) or “program features” (Windows Vista/7) section in control panel to see if some strange software was installed without your knowledge and promptly remove them.
  • Run “msconfig” and look through the “startup” tab to see if some strange application has inserted itself to automatically start with Windows and disable them.

It is only going to get worse, unfortunately.