SANS Digital Forensics and Incident Response Blog

A blackeye for Download.com? Nmap developer Fyodor says site mixes malware with infosec software

NMAP is one of the best-known open source security tools. NMAP helps in the discovery of hosts and devices on a network. It was created over 14 years ago by Gordon "Fyodor" Lyon. NMAP is a part of the curriculum of many SANS courses.

Yesterday, many in the open source community were shocked by this announcement by Fyodor:

...I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.
In addition to the deception and trademark violation, and potential
violation of the Computer Fraud and Abuse Act, this clearly violates
Nmap's copyright. This is exactly why Nmap isn't under the plain GPL.
Our license (http://nmap.org/book/man-legal.html) specifically adds a
clause forbidding software which "integrates/includes/aggregates Nmap
into a proprietary executable installer" unless that software itself
conforms to various GPL requirements (this proprietary C|Net
download.com software and the toolbar don't). We've long known that
malicious parties might try to distribute a trojan Nmap installer, but
we never thought it would be C|Net's Download.com, which is owned by
CBS! And we never thought Microsoft would be sponsoring this
activity!

...If we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com,
it is detected as malware by Panda, McAfee, F-Secure, etc...

Fyodor was interviewed by CyberJungle Radio last night, in the "Tales From The Dark Web" segment, where he talks about what happened, and the steps users can take to protect themselves and to get CBS to change its practice. Listen to the MP3 file of the segment is here.

By Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA-CGEIT, CRISC. Ira Victor is a forensic analyst with Data Clone Labs, He is also Co-Host of CyberJungle Radio, the news and talk on security, privacy and the law. Ira is President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator's Association (HTCIA). Follow Ira's security and forensics tweets: @ira_victor