December 6, 2011

It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Lyon said CNET is violating Nmap’s distribution license, which bars any distribution that “integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield.”

“Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer,” Lyon wrote. “Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!”

Nmap isn’t alone. Wireshark, another free and widely-used network analysis and security tool, also was being bundled with toolbars through download.com. That is, until Wireshark open source director Gerald Combs sent CBS a cease and desist letter.

Combs said download.com had been distributing Wireshark since the early 2000s, back when it was still known under its former name, “Ethereal.”

“It is a little ironic, that you’re downloading these security tools but [download.com] makes you run through this gauntlet of crapware to get them,” Combs said.

Interestingly, CNET does not offer the download installer for “registered users;” those who are registered are offered a direct download link. Also, it appears that software makers who pay CNET to have a “premium listing” can avoid the installer being bundled with their offering.

The CNET download installer will still let users decline the toolbar installations, but the default is of course to install the software. I have asked CBS for comment on the apparent discrepancy between download.com’s no-adware policy and its practices, and will update this blog post when I hear from them.

As I was researching this, I found that I’m a little late to the party on this one. Thanks to that ExtremeTech post, I found this link, in which CNET explained part of the rationale for rolling out this download installer, in a blog posting on July 25, 2011:

2. Why is Download.com making this change?

Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Download.com Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software’s installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.

3. How does the Download.com Installer improve the download experience?

By downloading with the Download.com Installer the user is guaranteed that the file they install on their system came directly from Download.com. Only software that is tested spyware-free and hosted on Download.com’s secure servers may be delivered via the Installer.

In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.

Finally, Download.com is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Download.com Software Policies.

4. Is all software on Download.com delivered via the Installer?

No. The Download.com Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.

There you have it, readers. If you’re unhappy about this development, let CNET/CBS know how you feel. These toolbar deals no doubt have the potential to earn CNET a lot of money: Download.com is a very heavily visited site, and according to Alexa it is the 174th most-visited site on the Internet. But CNET should be more consistent and up-front about its adware policies, or risk losing that ranking in a hurry.

In the meantime, it’s always a good idea to download software directly from the source whenever possible, and to pay close attention to the prompts during the installation process.


54 thoughts on “Download.com Bundling Toolbars, Trojans?

    1. PW

      Jim Evans, thanks for posting the other website info links.

  1. CMT

    At the company/facility I work for and at, Download.com is blocked totally and has been since late this summer due to the detection of their downloader as a Trojan.

    The pity for some software makers is that many rely on Download.com as their sole download source for their software.

  2. Matt

    CNET has lost another user because of this toolbar bloatware nonsense.

    RIP “Fast Install”. Always gotta hit custom now to get rid of the crapware.

  3. Tracy Dryden

    I stopped using download.com thee very first time they tried to install an unwanted toolbar along with the software I wanted, and I won’t download another file from them, or recommend them to anyone, until they cease that practice. Now I try to download directly from the source.

  4. Rich

    “and to pay close attention to the prompts during the installation process.”

    Words of wisdom, and though I would imagine the reader base of this blog would consider it “preaching to the choir”, I wish we could get the average end user to pay attention to what is being proposed to install!

    Every time I do work on a family member’s PC, it never fails that their IE toolbar takes up almost half the screen due to these toolbars and other bloatware!

    1. nonegiven

      I saw my husbands computer at work. He had, I think 11 toolbars on his browser and maybe 5 inches of space left. I said we should delete most of these and he was like well, I use this link on that one, and sometimes I need this search engine or that. I said we can put all the links on your bookmarks toolbar and all the search engines in your search box so you can choose the one you want and double the size of your browser page and next time something asks to install another one, uncheck the box!

  5. Neej

    TBH based on my experience which I’ve already mentioned in a few other comments I’ve made you’re dreaming if you think this is a “problem” that’s confined only to Download.com – many shareware (or other licenses for that matter) authors are bundling adware with their installers now. The last I can recall that I used are FlashFXP and Foxit Reader installers but it seems like every second app I use has some form of Adware, often Ask Toolbar.

    Babylon is pretty hard to remove though for the average user – I’ve had to get rid of it a few times after accidently not unticking the boxes. It is also promoted heavily by blackhat PPI networks – they allow installs by whatever means, bundling files for example so the user has no chance to consent to the installation. Payment per install is around $1.50 for US installs from memory with other countries arranged in tiers.

    As some may recall I commented that on the one had I found this surge in legitimate adware insidious but on the other hand the amount that ad networks such as COPEAC charge for clicks through adware can be extremely low, right down to 1c. Which makes it pretty damn attractive for people paying for traffic like me.

    I noted that many downvoted my last comment regarding adware so have at it heh.

    1. J.T. Wenting

      One of the worst offenders is Adobe, who try to install trojans (Google toolbar, etc.) with Flash, Acrobat reader, and I think I saw them try once with Lightroom (though that might have been the Flash installer that bundles with Lightroom).

  6. AJ North

    Thanks for another excellent (and timely piece), Brian.

    CNET and their download.com have been sliding into the proverbial swamp ever since they were acquired by CBS Corporation, the current corporate identity of the former Columbia Broadcasting System (founded by William S. Paley in 1928); the majority stockholder today is National Amusements (how appropriate).

    Even registered users of download.com have to contend with squirreliness when downloading software from the site, which is why I now use Softpedia.com (http://www.softpedia.com/) as my primary download site. They also provide for registered users to ‘subscribe’ to software, which will generate timely e-mail alerts of updates (usually days sooner than download.com). One more icon debased by greed.

    1. AJ North

      Forgot to add that Softpedia also flag software that is add-supported, an extra inducement to carefully monitor the installation process so as to deselect the crapware.

  7. Wladimir Palant

    Frankly, this doesn’t surprise me the least. A while ago I actually took the time to update my software on a bunch of download sites for each release – they added it without asking me but whatever. This was a simple process most of the time but Download.com made a point being extra annoying to get people pay for their premium accounts. They even went as far as to delay updates by two weeks for no reason whatsoever other than convincing software authors to pay for this crappy service. After a few releases I decided that delisting is a much easier solution.

    1. BrianKrebs Post author

      Good for you, Wladimir. Perhaps if more developers of popular software did the same, they’d reverse this policy.

  8. lansdowne mike

    I noticed the problem this summer when I got a notice that ccleaner was updated. I didn’t follow the link in the notice and got the ever so helpful installer. Expecting a straightforward download I didn’t unclick what I should have and wasted 45 minutes cleaning the crap that was installed inadvertently. (Ccleaner helped with that.) Last time I’ll use download.com until I hear that they’ve stopped this nonsense.

    1. CloudLiam

      Even if you update directly from Piriform you get crap-ware installed unless you opt out. It’s been that way for some while.

      It’s a bit ironic that an app once known as Crap Cleaner now installs crap but such is the world in which we live.

      1. Datz

        The last time I downloaded CCleaner, it bundled Chrome browser. Although I unchecked that box, I wouldn’t really call it crap.

        1. Rich

          Though I’d agree with you that Chrome is far from crap, I don’t want *anything* other than what I clicked to download, period.

    1. F-3000

      People should ALWAYS pay attention to what’s on the screen when they’re installing something. I would have had installed a huge handful of bloatware, if I would have just blindly clicked “next”.

  9. Mike

    At least one of the anti-malware programs that I use also detected CNET Tracker (their version of File-Hippo Update Checker) as containing a Trojan Horse.

  10. Paul

    Interestingly I posted a comment on CNET Facebook page asking if anyone would care to comment on the Softpedia article.I left a link to the story. Within seconds it was removed.

  11. Carl

    Ah, I miss the old SIMTEL-20. Things went downhill when they kicked it out of White Sands.

  12. Rick Zeman

    Versiontracker, the premiere Mac download site since the 90’s, got acquired by CNet…and went all to hell once they redirected that domain to the CNet site. I ended up switching to MacUpdate and don’t miss CNet at all.

  13. Stratocaster

    I have seen some computers, such as my mother-in-law’s netbook, that have so many IE toolbars there is no room for an actual browser window. Death to toolbars! If I wanted them, I would ask for them. Of course, that is just one more reason not to use IE. Adobe is becoming more intractable in that same manner — it is very difficult to find a plain-vanilla standalone installer for Flash Player, etc. Now their default is to download a “Web installer” — the operation of which is blocked by most corporate and government firewalls.

    1. xAdmin

      It’s really not the browsers fault as the same thing is possible with Firefox. Other than the crapware itself, the problem is the person behind the keyboard is not doing due diligence and instead just clicks through. Patience (as in stop and read, don’t just click away) and a little education goes a long way to stopping unwanted sofware/malware….. 🙂

  14. Hans Kristian Flaatten

    Does anyone have an email address to CNET/CBS. Can’t seam to find any contact information at their sites.

  15. Great Lake Bunyip

    An excellent article Brian, followed up by many useful comments. Many thanks.

  16. Jason Wallwork

    This doesn’t totally surprise me. A number of years back, probably six or seven, I downloaded an add-on for MSN Messenger (as it was known then). I think it was called Messenger Plus or something similar from Download.com. The program itself was okay, but the installer had a malware toolbar program with it that they encouraged you to install to help the author out. After my system had slowed to a crawl,I spent hours trying to get that bugger out. I should’ve known better but the appeal to my willingness to install something to help the free software author and my belief that CNET actually checked their stuff for malware convinced me to give it a try.

    I’m surprised they’d go this far as including malware in their installer, but I’ve always suspected they had lots of malware mixed in. It was probably on a user-complaint system that anything was removed. They had thousands of programs; how could the have that many and have seriously checked them all?

    I usually go to snapfiles.com to get my software. It’s not as big a collection but most of it is quality programs and they have actually reviewed them. I like filehippo.com for the same reasons.

    I’ve also used softpedia.com because one time, I noticed they had an add that was deceptive (looked like one of those error messages) and complained to them about it. I didn’t expect really any response. They responded within 24 hours, apologized for the ad and said that the ad and the advertiser were being removed from their system. I was pretty impressed.

    1. Brett

      Messenger Plus! is a huge CPV adware network sold off to many major networks and affiliate marketers.

  17. Hank Arnold

    I’m as furious as you are with Download.com. To sneak this in with no warning anfd then try and sell it as “benefiting” the customer is the height of arrogance.

    I’m boycotting Download.com and have urged my blog readers to do the same. I don’t believe that a letter writing campaigh will do anything as long as this crap generates signifiant revenue for them. Why change if the money is rolling in??

  18. PW

    Winzip has also gone that route of putting in their Winzip Toolbar, which I finally completely pervasive and invasive. I dislike the current crop fo Winzip software.
    In the past, we did not have this concern from Winzip. As a result I had to go back and uninstall that Winzip toolbar and associated files from all my PCs (home).

    Don’t get me wrong, Winzip is a great tool – but c’mon, some of these toolbars from various companies is just getting to be too much. Trojans aside of course. It’s just the squirliness factor someone mentioned above.

    Some users may like all these varied toolbars but many of us do not….

    1. PW

      sorry, typo above, in the first sentence I meant:
      ‘which I find completely pervasive and invasive’….

    2. TEA-Time

      Don’t get me started about WinZip…

      Ooops, too late!!

      WinZip turned to CRAP when Corel sucked them in. First off, when it was Nico Mak, you bought it once and had free upgrades for life. That whole concept went POOF when greedy Corel got ahold of it.

      Then they removed the ability to specify a virus scanner, which I used for scanning individual files in an archive. I e-mailed them and their excuse was that most people have real-time virus scanning anyway.

      And then there’s the ribbon interface that they adorned it with. At least you can go back to the legacy look. The newest I’ve used is v15.5, and I wouldn’t be surprised at all if they’ve removed that in v16.

      And.. when it was Nico Mak, WinZip NEVER crashed on me. I always joked that Nico Mak should write an OS. Not so since Corel.

      And with the added little goodies in the installer, I’m about to write them off for good. Now there are alternatives for opening .zipx files, which I’ve never had to deal with anyway, so there’s no need to use WinZip at all.

  19. Angus Scott-Fleming

    Brian,

    As usual, good column. You say “If you’re unhappy about this development, let CNET/CBS know how you feel”, but there is NO “feedback” or “webmaster” link at download.cnet.com (redirected there by download.com). Perhaps if I “joined”, I would see one. But I certainly don’t want to share my email with them, and using a disposable email address like mailinator.com means they won’t take the comments seriously.

    I’ll just add “download.cnet.com 127.0.0.1” to any hosts files I come across [grin].

    1. Paul

      As I posted here earlier…………I tried to post on CNET’s Facebook page for a response to the Softpedia article.I also posted the link.They took it down within seconds………..Scoundrels

    1. Angus Scott-Fleming

      A big +1 to CNet for responding as quickly as they did and the way they did. HOWEVER, I still give them a BIG -99 to them for only committing to removing bundled toolbars from open-source downloads.

  20. Brett

    It’s mildy amusing how these articles fail to discuss the real companies involved.. Microsoft & Zugo LTD, which together license their Bing branded toolbar to 3rd party developers. http://zugo.com/terms-and-conditions. If Microsoft stopped bundling with adware, and Google stopped Partnering with Ask/Mindspark many of these type of deals would be shut down. But Microsoft and Google will power and sponsor adware directly and indirectly to gain market share no matter what.

    1. BrianKrebs Post author

      “It’s mildy amusing how these articles fail to discuss the real companies involved.”

      They do?

      “Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.”

      1. Brett

        Babylon did offer their toolbar directly to CBS, it was done through a 3rd party/broker, and no mention of Zugo LTD, and their practices. Cnet is the publisher, Microsoft is the Advertiser, the rest of the chain is left out… that is where the compliance is done.

  21. Tarzan

    Is this a precursor to the future of content-for-profit? I mean, if copyrights are worthless now that we live in the days of file and music sharing, how are artists/programmers/producers supposed to put food on the table? I only see one way of providing incentive to a musician for publishing a CD, and that is for money, and if the money isn’t coming from consumers, then there seems to be one other source for revenue – sponsors. If we cut off the sponsorship revenue, then who can really expect an artist to publish his/her works?

    As a songwriter, I have no motive for sharing my work, in fact I am concerned that others might claim my work as their own. I can sympathize with Mr. Lyon-I definitely would be upset if commercials showed up on my CD without my approval.

    1. Angus Scott-Fleming

      IMHO sponsorship revenue from insidious adware toolbars is to be avoided at all costs if you don’t want to p*ss off your potential buyers beyond belief. YMMV.

      1. JCitizen

        Very true Angus!

        Every since Stone Temple Pilots built their own franchise; the music and artist industry has changed. They can build their own websites and push their music independent of corporations or label cartels that just rip off the artists and customers ta-boot!

        Putting malware in with their finest creations is the WAY wrong path to success!!!! DRM is bad enough just by itself!

    2. F-3000

      Per my understanding, music artists gain a very lame share from the CD sales, because publishers take the most of the sales income. There’s a saying “if you really want to support a band, visit their shows.”

      Also, if music-companies would follow the bundling-style, you’d hear voice-commercials added on the music CDs you’ve bought.

      One reason why I support torrented music is the copyprotections added to the media – they have a bad habit of breaking equipment, if they’ll play in the first place. Another reason is, that I listen such music that it is not popular in here where I live. I really should pay for a product and shipping of it, when it’s not guaranteed to play on my cd-player, or in worst case, breaks the player?
      (on the other hand, I currently own big enough library of music (both bought and torrented) that I don’t bother with getting new music, otherwise I propably would use online-store which doesn’t use DMR)
      I also have a habit of buying stuff I’ve once torrented and found worth of having. With older games it’s a bit tricky, but sometimes I get lucky.

      1. JCitizen

        So true! DRM is a disaster! Most of the folks I know, buy the retail box stuff just for the collector habit; but they use cracked music for regular playing. The factory stuff just won’t play half the time.

        I have the same trouble playing blu-ray movies – most of the time they won’t even play. Eventually the MPAA/IAA updates come through and then they will play for a while, until a new IAA notif spyware is deposited in the DRM modules, and NOPE, no playing again!

        Those idiots are just shooting themselves in the foot!

  22. JCitizen

    Good article Brian;

    I’ve since learned from my clients how CNET went downhill. I still use them, because I filter the ‘malware’, but I quit recommending them to my clients. I now recommend Major Geeks – who have been out there forever; and/0r File Hippo.

    I do occasionally use SoftPedia, but find their reviews lacking.

Comments are closed.