Adobe has released a public beta version of its Flash Player software for Firefox that forces the program to run in a heightened security mode or “sandbox” designed to block attacks that target vulnerabilities in the software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. The same technology has been built into the latest versions of Adobe Reader X, and it has been enabled for some time in Google Chrome, which contains its own integrated version of Flash. But this is the first time sandboxing has been offered in a public version of Flash for Firefox.

Flash is a big target of attackers partly because it is a powerful program with a huge install base; vulnerability management firm Secunia estimates that some version of Flash is installed in 96 percent of the world’s Microsoft PCs. Windows users can further harden their systems against such attacks by swapping out their current version of Flash for this beta.

The sandboxed Flash for Firefox — Flash Player 11.2 beta 5 — works with Firefox 4 or later running on Window Vista or Windows 7. The latest build is available here.

I’ve been using the beta version for nearly two days now without incident on a Windows 7 Firefox 10 install (with Firefox running under Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET). But if you do experience glitches or compatibility issues, you can always revert back to the non-sandboxed version. If you decide to try the beta, make sure to uninstall the current version using Adobe’s Flash uninstaller tool; then grab and install the beta.

Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.

On Thursday, Trend Micro said it had encountered malware that leverages a vulnerability in the way Windows handles certain media files. This is a browse-and-get-owned flaw for Windows XP, Windows Vista, Windows Server 2003 and 2008 users, meaning these folks can infect their machines merely by browsing to a hacked or malicious site hosting a specially crafted media file. If you run Windows and have delayed installing this month’s updates, consider taking care of that now by visiting Windows Update.

Trend Micro competitor Symantec also issued a warning this week — about threats to its own software. Responding to a now widely-publicized break-in that resulted in the theft of its proprietary source code in 2006, Symantec issued a 10-page white paper with recommendations for customers still using this software. The company says fewer than 50,000 people are still using pcAnywhere, but those who are should consider applying newly-released updates, or removing the program altogether.

From that whitepaper (PDF):

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

On Thursday, Symantec released updates to address at least three security vulnerabilities in pcAnywhere 12.5 for Windows. The company said it plans to issue additional updates for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5, although it didn’t say precisely when those updates would be available.

It’s generally a bad idea to leave remote administration tools like pcAnywhere always on and always accessible via the Internet. If you must use them, I’d strongly recommend limiting allowable connections to specific computer names or Internet addresses, limiting the number of consecutive logon attempts, and — if feasible– incorporating some type of token based solution.

Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.

A screenshot of the Citadel botnet panel.

The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.

“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.

-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

- You can see all stages of module development, if it is approved other members. We update the status and time to completion.

- You may pay a deposit, if module is approved (50%). After the deposit is paid by the members, the project starts moving forward, so that the money is paid directly to coders and there will be no laziness or inaction. Everything is clear: every stage of development is thoroughly shown.

-Easy jabber [instant message] notification of new member or developer comments, or the availability of new custom applications.

The Citadel store lets users file and track bug reports, and request and vote on new features.

Citadel may be the first notable progeny of ZeuS since the ZeuS source code was leaked online last year. The authors claim that it includes a number of bug fixes for the most recent ZeuS version, including full support for grabbing credentials from victims using Google Chrome. Also bundled with this update is a component that can record and transmit videos of the victim’s screen activity.

The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly “rent,” but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.

Citadel also boasts a feature that hints at its creator’s location(s). According to the authors, if the malware detects that the victim’s machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan’s creators if there are no local victims.

The Citadel bot builder.

It will be interesting to see if these malware developers hold true to their word. The growth of a more real-time, user-driven and crowdsourced malicious software market would be a truly disturbing innovation. For now, the miscreants behind Citadel appear upbeat about their chances of ushering in such a reality.

“It’s very interesting for us to work with our clients,” they wrote in an online forum posting. “A lot of authors write in forums that they ‘support the product,’ but at the end the updates only come out once every three months or the author disappears forever. Problem is in author’s motivation. You support us, we support you. It is easy.”

Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.

At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”

Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.

Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.

But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.

One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.

Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.

“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”

Separately, Craig Heffner, a researcher with Columbia, Md. based security consultancy Tactical Network Solutions, has released an open-source tool called “Reaver” to attack the same vulnerability. Heffner notes that once an attacker has successfully guessed the WPS PIN, he can instantly recover the router’s encryption passphrase, even if the owner changes the passphrase. In addition, he warns, “access points with multiple radios (2.4/5GHz) can be configured with multiple WPA keys. Since the radios use the same WPS pin, knowledge of the pin allows an attacker to recover all WPA keys.”

Source: Stefan Viehböck

The important thing to keep in mind with this flaw is that devices with WPS built-in are vulnerable whether or not users take advantage of the WPS capability in setting up their router. Also, routers that include WPS functionality are likely to have this feature turned on by default.

First the good news: Blocking this attack may be as simple as disabling the WPS feature on your router. The bad news is that it may not be possible in all cases to do this.

In an advisory released on Dec. 27, the U.S. Computer Emergency Readiness Team (US-CERT) warned that “an attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.” The advisory notes that products made by a number of vendors are impacted, including Belkin, Buffalo, D-Link, Linksys, Netgear, TP-Link and ZyXel.

Viehböck said none of the router makers appear to have issued firmware updates to address the vulnerability. The US-CERT advisory makes no mention of updates from hardware vendors. The advisory also says little about which models may be affected, but if your router has a “WPS PIN” notation on its backside, then it shipped with this WPS feature built-in.

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil.  The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.

A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.

This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack.  In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability. 

The UK site is not particularly popular – its global rank is 90,203 according to Alexa.com – but the chances are good that the attackers behind this are not after financial data. It appears more likely that the exploit maybe part of an ongoing campaign by Chinese hacking groups to extract information from dissident and human rights organizations.

The attack against the Amnesty International’s Hong Kong site last year loaded malware that belongs to a notorious family of backdoor Trojans from China. According to a ThreatExpert analysis of the malicious Java file currently being served by Amnesty’s UK site, the malware downloaded appears to be associated with China.

Paul Royal, a research consultant with Barracuda Networks, said the attack fits the profile of previous campaigns against human rights non-governmental organizations.

“Certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists,” Royal wrote in an email to KrebsOnSecurity, noting that the site appears to have been compromised since at least Dec. 16.  “Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.”

These attacks highlight the importance of staying up to date on security patches. In the case of Java, removing oft-targeted software that you don’t really need may be a safer option. Either way, tools like Secunia’s Personal Software Inspector or FileHippo’s Update Checker can help you stay on top of the latest security updates for popular software titles.

Update, 12:59 p.m. ET: Barracuda Labs just published a blog post about this.

Update, Dec. 24, 9:40 a.m. ET: Emerson Povey, digital communications editor for Amnesty International UK, wrote in to say that the exploit has been removed from the site.

Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.

The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems.

The other two critical updates fix bugs in ActiveX and Windows Media Player. The remaining patches address less severe but still dangerous security holes in Windows, Microsoft Office and Microsoft Publisher. A more detailed breakdown of this month’s updates is available here. Patches are available via Windows Update.

In other patch news, Oracle has released yet another update to its Java software. Oracle released updates to Java versions 6 and 7, but only the Java 6 Update 30 includes security fixes. It appears from a close examination of Oracle’s unbelievably labyrinthine security advisories that Update 30 addresses at least six separate security issues. Anyone who wants to read more about the specific details of the flaws fixed in this update without having wade through countless advisories can do so by clicking this link. While none of the flaws look especially bad, if you are using Java it’s time to either update it or dump it (I continually urge readers to do the latter). Updates are available from the Java console (available through the Windows Control Panel).

You may have never heard of youhavedownloaded.com, but if you recently grabbed movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address.

In many ways, the technology behind the site merely recreates in a publicly searchable way what the entertainment industry has been doing for years: It tracks and records information that users share when they download and upload files on public peer-to-peer file-trading networks. But the free service does have the potential to make people think twice about downloading pirated movies, games and music, because it shows how easily this information can be discovered and archived.

So far, youhavedownloaded.com has recorded more than 50 million unique Internet addresses belonging to file-sharing users. The site is searchable by file name and by Internet address. When you visit, it automatically checks and lets you know if your Internet address is in the database.

Youhavedownloaded.com offers only limited information about its founders. One of them is Suren Ter-Saakov, a Russian native who now lives in a suburb of Philadelphia. I first interviewed Ter-Saakov for a story I wrote in 2009 about the Federal Trade Commission’s unprecedented takedown of troubled Web hosting firm Triple Fiber Network (3FN). The FTC alleged it was hard to find any customers at 3FN that had legitimate, legal content. Ter-Saakov, better known in the Russian Webmaster industry as Mauser, disagreed and successfully sued the FTC to retrieve his domains and servers.

Ter-Saakov said he believes youhavedownloaded.com indexes about 20 percent of the file-sharing activity on the Internet. He maintains that the site was created merely as a proof-of-concept, and that it doesn’t have any commercial application.

“The whole thing started with a theoretical discussion I had with some friends about what is possible to track through software and what is not possible,” Ter-Saakov said in a phone interview.

The database has some serious limitations. For starters, it may contain incorrect information because it doesn’t take into account that many Internet users have “dynamic” addresses that change from time to time. Also, many homes and businesses use routers that employ network address translation (NAT), which can hide multiple users behind a single public-facing Internet address, so that a single Internet address listed in the database may reflect file-sharing activity of multiple different users.

Ter-Saakov said his servers could store timestamps, machine/browser fingerprints and other data that might help more accurately identify individual users. But he said adding those enhancements would make the project more expensive, and that he and his friends had sought to put together the best system they could for less than $300 a month.

“If we wanted to make it more sophisticated or be able [to be able to track a greater share of file-sharing] users, it’s going to be more expensive, and we see no reason to do that.”

The feedback from visitors has been mixed. The site allows Facebook users to comment on their impressions, and the responses range from horror and anger to amusement. Ter-Saakov said he’s also received many emails from users whose information was listed but who deny having downloaded any files (he also said people can have their information removed on request).

“One guy claimed he downloaded stuff only because his grandmother was ill and he wanted to watch a Harold & Kumar movie to cheer himself up,” Ter-Saakov said. “Another kid wrote and said asked to have his information removed because he was downloading porn and was afraid his parents would be able to see what kind of movies he downloaded.”

I’m often asked whether I download movies, music and software from file-trading sites. My answer tends to be an unpopular one, but I believe most of this activity is simply wrong and unethical. I know plenty of people who would never dream of five-fingering items from a store, or walking out on a restaurant tab, but who routinely turn to file-sharing networks to download copyrighted content. Whether or not you agree with my views on this subject, it’s important to remember that file-trading networks are an extremely common and easy way to spread malicious software.

In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.

Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.

On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.

The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.

Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of  PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here.

Here’s a closer look at the circuit board on top, which looks like some type of Flash storage device:

Here’s another look at the electronic parts wedged into the back of the skimmer:

It appears from the following image that the data storage capacity on the device is connected directly to the mag stripe reader (top, silver wire), while the device’s video camera is wedged behind the pinhole (bottom, gold wires).

The investigator I spoke with about the incident didn’t know much about the innards of the device, and said that those responsible have not yet been caught. But he did have something interesting to tell me about the origins of the skimmer: “It is believed that the green skimmer was made with the Stereolithography process.” Translation: The cops think thieves produced the card skimmer molds with the help of 3D printers.

These hi-tech and costly machines take two dimensional computer images and build them into three dimensional models by laying down successive layers of powder that are heated, shaped and hardened. In September, I detailed how U.S. investigators had arrested four men in Texas who allegedly built their ATM skimmers using a 3D printer they’d purchased with the proceeds of their skimming business.

In related news, New York County District Attorney Cyrus Vance earlier this month announced an 81-count indictment against three men suspected of planting skimmers at ATM machines in Manhattan. The indictment alleges that the men used the skimmers to steal the debit card numbers of nearly 1,500 individuals, and then exploited the stolen debit card numbers to make more than $285,000 in fraudulent transactions.

In the press release that accompanied the indictment, the district attorney released several images of the skimmer devices allegedly planted by the Manhattan trio. While these devices relied on a separate façade that held a hidden video camera to record customer PINs, there is little question that the same Chase ATM design was targeted. In the picture below, the hidden camera is the squarish silver block mounted vertically to the left of the PIN pad. An enlarged picture of the camera façade follows this one.

A compromised ATM in Manhattan. Image: NYCDA.

A hidden camera and card skimmer part seized by authorities in Manhattan.

Hidden camera footage of a customer entering his PIN. Image: NYCDA.

If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM. And remember, the most important security advice is to watch out for your own physical safety while using an ATM: Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

If you liked this post, consider checking out the other stories in my ATM skimmer series, All About Skimmers.

Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.

Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.”

Adobe said it plans to ship an emergency update to address the vulnerability in Reader 9.x and Acrobat 9.x on Windows no later than the week of Dec. 12. Citing protections built into newer versions of its software, however, Adobe said it would not fix the flaw in Reader X or Acrobat X versions for Windows, Mac, or UNIX versions until Jan. 10, 2012, the date of its next scheduled quarterly security update. Adobe’s Brad Arkin explains more about the company’s reasoning behind this decision in a blog post published along with the advisory.

If you are using Adobe Reader or Acrobat, take a moment to make sure you have the latest version. It also never hurts to consider one of several free PDF reader alternatives to Adobe, including Foxit, PDF-Xchange Viewer, Nitro PDF and Sumatra PDF.

Update, Dec. 8, 3:02 p.m., ET: As one commenter has already noted, Foxit has released a security update for its reader. The latest version, 5.1.3, is available from this link.

It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Lyon said CNET is violating Nmap’s distribution license, which bars any distribution that “integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield.”

“Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer,” Lyon wrote. “Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!”

Nmap isn’t alone. Wireshark, another free and widely-used network analysis and security tool, also was being bundled with toolbars through download.com. That is, until Wireshark open source director Gerald Combs sent CBS a cease and desist letter.

Combs said download.com had been distributing Wireshark since the early 2000s, back when it was still known under its former name, “Ethereal.”

“It is a little ironic, that you’re downloading these security tools but [download.com] makes you run through this gauntlet of crapware to get them,” Combs said.

Interestingly, CNET does not offer the download installer for “registered users;” those who are registered are offered a direct download link. Also, it appears that software makers who pay CNET to have a “premium listing” can avoid the installer being bundled with their offering.

The CNET download installer will still let users decline the toolbar installations, but the default is of course to install the software. I have asked CBS for comment on the apparent discrepancy between download.com’s no-adware policy and its practices, and will update this blog post when I hear from them.

As I was researching this, I found that I’m a little late to the party on this one. Thanks to that ExtremeTech post, I found this link, in which CNET explained part of the rationale for rolling out this download installer, in a blog posting on July 25, 2011:

2. Why is Download.com making this change?

Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Download.com Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software’s installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.

3. How does the Download.com Installer improve the download experience?

By downloading with the Download.com Installer the user is guaranteed that the file they install on their system came directly from Download.com. Only software that is tested spyware-free and hosted on Download.com’s secure servers may be delivered via the Installer.

In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.

Finally, Download.com is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Download.com Software Policies.

4. Is all software on Download.com delivered via the Installer?

No. The Download.com Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.

There you have it, readers. If you’re unhappy about this development, let CNET/CBS know how you feel. These toolbar deals no doubt have the potential to earn CNET a lot of money: Download.com is a very heavily visited site, and according to Alexa it is the 174th most-visited site on the Internet. But CNET should be more consistent and up-front about its adware policies, or risk losing that ranking in a hurry.

In the meantime, it’s always a good idea to download software directly from the source whenever possible, and to pay close attention to the prompts during the installation process.