Warning: CNet's download.com now includes actual malware in their installers


delusionalHamster's avatar
It's been known for a while that download.com includes adware in their installers (such as browser toolbars and the like) which you have to be really careful to prevent from installing, but supposedly they have mostly been the annoying type, that can still be removed if necessary (although, how can we be sure? they don't show the source code of adware...)

[link]

And incidentally, it has also been known that Microsoft has been the source of some of the adware. Kinda makes you wonder...

[link]

Recently it has come to my attention that they are no longer satisfied to spread just adware, but are now bundling actual, real-life malware that are used for phishing attacks into their software.

[link]

Just so everyone knows, never, ever, ever EVER download anything from download.com or any other CNet-affiliated site. They can't be trusted, they take other people's software and bundle it with malware for their own profit. What they do is despicable and dishonest, and no one should support this kind of behaviour, ever. Small software writers have enough problems competing against huge software houses without getting associated with shit like this.

Please spread the word.
Comments70
Join the community to add your comment. Already a deviant? Log In
Aapis's avatar
Guess I'll continue not seeing any point in downloading anything from CNET.
delusionalHamster's avatar
What is with these people who are all like "herp derp own fault for not reading the installers derp"?

Are people seriously so deranged, that they accept this kind of shit as normal, that it's ok to do it as long as there's at least a nominal chance of avoiding the malware? Seriously? You people think it's ok to trap people like this? It's ok to con people, because it's their own fault if they fall for it?

Well shit, I didn't know this forum had been overrun with libertards.
PR-Imagery's avatar
Because it is their fault for not reading/paying attention. The vast majority of all computer problems are user generated.
Plus they're downloading stuff from cnet... If the only place to get a program is a cnet download, its not worth using.
delusionalHamster's avatar
Congratulations, you have now figured out the reason for this thread. People should indeed not download anything from CNet, and since you already seem to know that, this thread does not concern you. You may go forth and spread the word, my son.
Mercury-Crowe's avatar
So, then, it's fine to drive along playing on your phone and not watching the road, right?

Nobody is trapping anybody! You're not being CONNED. You are being asked if you want something. Nothing is being downloaded without your permission! It's not their job to make sure you pay attention. That's on you.

We are NOT talking about a download that APPEARS to be what you want. You don't try to download gimp and get craptastic toolbar instead. You don't even get it automatically with the package. It asks SPECIFICALLY if you want that stuff. It doesn't hide it in the program. It doesn't just sneak it on there. YOU FREAKIN SAID OK. You said 'Yes! I want this!'

You don't know what it is you are agreeing to, that is your OWN FAULT.

Let me guess, you ALSO don't read the terms and conditions before using a site.
delusionalHamster's avatar
95% of people don't read the terms and conditions of anything. In fact some legal experts are of the mind that terms and conditions that are excessively long-winded should not even necessarily be legally enforceable, but that's beside the point...

The point is, you're being a total smart-ass. You're like that guy who comes into a restaurant totally naked, except he's wearing a tie and shoes, and he tells the waiters they can't refuse service because he's TECHNICALLY following the dress code.

(You can tell I'm fucking awesome with analogies.)

Similarly, you are TECHNICALLY correct that the user has a chance to not install the malware. Yes, that's true. Technically.

But you have to take in account that habits are powerful. There are such things as expected behaviours. People are used to installers working a certain way, and that way is "you click the ok button several times and the program installs". The entire CNet installer is built in such a way that it is easy to accidentally accept the malware if you're not paying attention all the time.

It's easy to be a smart-ass and tell people they should read everything carefully, but REALISTICALLY speaking, who's going to do that? Who's going to read the war and peace sized EULA of every program they install, especially if it's just something they want to try out?

So yes, it's TECHNICALLY possible to avoid the malware, but that does not make it ok in my view. It's not ok to mislead users and trap them into installing malware on their computers. People make mistakes, people click things by accident, sometimes people are tired or otherwise not paying full attention, and that's what these installers are counting on: they know that most of the time people will decline them, but they count on that certain percentage of times you'll be not totally paying attention and accidentally click on the wrong button and then you're screwed.

And what's even more sinister about this is that the software authors themselves do not necessarily have any idea what kind of crap is being pushed to users in their name.
Mercury-Crowe's avatar
'95% of people don't read the terms and conditions of anything.'

I've been involved in professional horse businesses for a long, long time. By law in most states, certainly in the one I am in, once you set foot on a farm you loose the ability to force the owner to take responsibility for anything that happens to you.

That means if you are on my farm, and one of my horses backs you into a corner and kicks the crap out of you, puts you in the hospital, etc- I am not liable. I don't have to pay. You can't sue me.

We don't have to have a sign on the barn that says that, but we do. Lots of places will make people sign a release that says they understand this. But we don't have to.

Now, if somebody comes onto my farm, gets hurt, then tries to sue me and their excuse is 'I didn't bother to read the sign' it doesn't make any difference. 'I didn't know' isn't a valid excuse.

Why? Well, the law is there because horses are really large animals with a brain of their own, and they are dangerous- and you should be smart enough to realize this. You decide to be around large animals and equipment, you get hurt, it's your choice. You didn't HAVE to come to the barn.

Just like you didn't HAVE to click 'I agree.' You CHOSE to do it. You saying 'I agree' is the same thing as coming onto my farm. By being there, you take responsibility for your actions.

You know, that's their own damn fault. They are there for a reason. Your defense is 'I'm lazy!'

And YES, they SHOULD be reading them! That is what they are THERE for! 'This is what you are agreeing to!' It is a CONTRACT YOU AGREE TO! YOU! Not them. It's YOUR fault if YOU don't read the stuff. They put it there for YOU to read.



They aren't misleading you! They don't say they are doing one thing and do another. They TELL YOU THEY ARE INSTALLING IT.

I don't care about force of habit- the habit is BAD! The habit is to IGNORE stuff.

Does that mean that, to you, ANYTHING is OK as long as it is habit? If I'm going around killing kittens, well, that's OK, because it's habit.
delusionalHamster's avatar
Wow, thanks for the incomprehensible rant full of strawman arguments.

I had no idea installing toolbars by accident was the same thing as killing kittens somehow. Thanks for letting me know...

ps, I didn't choose to click anything. I don't download anything from CNet, I don't use installers, because I don't use windows. I'm not on some kind of personal agenda here (although I get it if that's hard for you to understand).
Mercury-Crowe's avatar
By *you* I mean the user.

You were the one who compared it to hiding a bear trap on a foot path.

And installing toolbars is like killing kittens? Well, if you click 'yes' because you aren't paying attention, and you step on kitties heads because you aren't paying attention to where you are walking...I can make that work. :P
Mercury-Crowe's avatar
The only 'malware' I've ever seen from c-net is crap they try to add on while you're downloading. All you have to do is click 'no' or whatever. Takes five seconds to read.

If people don't pay attention it's their own fault.
delusionalHamster's avatar
Well aren't you a compassionate individual.

So I could set a bear-trap on the path you walk to school every day, cover it up with leaves or something, and if you happen to step in it and break your leg in half, it's your own fault for not paying attention.
Mercury-Crowe's avatar
If you are to stupid to realize you need to read what is on your screen, then I'm not going to feel sorry for you.

And your analogy is faulty.

The correct one:

You set a bear trap out in the open in the woods, put a SIGN OVER IT THAT SAYS BEAR TRAP.

If I walk into it and break my leg, yeah, it's my fault for not paying any attention.

They aren't hiding ANYTHING. It says it RIGHT THERE. It ASKS if you want to download and install it.

Other companies do that crap all the time. I used to work at a mail order company and we were obliged to offer all sorts of stuff the person on the other end didn't want. We HAD to ask, they had to say yes or no. It might be a free trial of something. It might be magazines. Whatever. It's called an 'upsell'.

They are upselling this crud from other people, because it pays for the site. The site makes money from that stuff being downloaded. It's why you don't have to pay to use it.

All you have to do is pay attention. You have to focus for THIRTY SECONDS. If you can't be bothered to do that then you deserve whatever you get.
delusionalHamster's avatar
If someone's business model requires them to trick their users into installing malware, then THEY DESERVE TO GO BANKRUPT. There's plenty of download sites that manage to stay in business without bundling malware in their downloads.

Sorry, not buying what you're selling.
Mercury-Crowe's avatar
But you aren't being tricked. YOU SAID YES!
delusionalHamster's avatar
What did I say yes to now?
DTrinidad's avatar
I can't recall the last time I downloaded anything from CNET but these days I mostly download software from the developer's official site.
delusionalHamster's avatar
That's a good practice.
Scnal's avatar
It's a toolbar.

There's an option to just say "no I would not like to install this toolbar" when you're installing. I have no sympathy for anyone who doesn't realize that and installs a toolbar that they don't know how to get rid of.
delusionalHamster's avatar
And how many people actually read all the stuff these installers say? Have you actually looked at pictures of the installers? Unless you're really careful, 100% of the time, it's easy to accidentally click the wrong button and install the malware. People make mistakes.

People should be able to download software from known & trusted software authors without being in the risk of compromising the security of their computer due to 3rd-party malware being injected by CNet or the like.
Scnal's avatar
When an installer asks me for something after I've already said to install whatever program I wanted, I read it. Especially when, if memory serves me, there's a big graphic for something I obviously did not ask for. I've never run into any problems installing things, and I'm still wondering how so many people do considering it's a matter of taking ten more seconds.

They already can.
delusionalHamster's avatar
Yeah, yeah. Whatever. It's the old "blame the user" crap. I don't buy it. It's fine for kids who like to pretend they're l33t hax0rs because they know how to click a "no" button on an installer to point and laugh at people because they have the audacity to expect that a software from a reputable author that they downloaded from a supposedly reputable site would not attempt to crap all over their computer with malware. But for the rest of us, who have some modicum of compassion and a sense of honesty and justice, will not abide this noise.
Scnal's avatar
Except being able to press "no" should be expected, even from reputable sites. It really is the user's fault if they don't get that much right. Sure, it'd be better if they didn't have ads in their installers, but it's nothing to go crazy about.
delusionalHamster's avatar
Let's make on thing clear: we're not talking about just ads here anymore. We're talking about honest-to-jebus MALWARE which is hard to remove, infects all your browsers (at least IE FF Chrome confirmed) and attempts to redirect you to phishing sites and to prevent you from searching for a way to remove the malware.

And you think it's OK for CNet to add that shit to other people's software, and it's your own fault if you didn't notice that one page between 20 others in the installation sequence where you have to press the different button...

Yeah, maybe there is a way to install those software without getting the malware on the side. But the thing is, users are used to a certain behaviour from installers. They expect that they will be able to install the software that they downloaded, by pressing the ok button repeatedly, because it's a common convention on how installers work. Furthermore, if they've used the same software earlier, they've become to trust the software and assume it's not going to install anything malicious on their computers. Then CNet comes and adds their malware to them...

Could they have avoided it, yes, but that's not the point. That would be the same thing as, for example, you'd be complaining to me that you got a virus from all the dwarf porn you downloaded, and I'd be like "well, it's your own fault for using windows, you wouldn't have gotten viruses if you used linux". Technically true, but not helpful to your situation, and doesn't excuse the acts of the people who wrote and spread the viruses.
Scnal's avatar
Ads to a malware-esque toolbar. CNet isn't supporting it themselves, they've just been paid to feature it in their installer. Which they've been doing for a long time, as have many others. You can't blame this on them specifically.

CNet wants money. I don't like the practice but I understand it, you can't pay money to keep a large server running all year if you don't get any money. Besides, last time I checked it's 3 pages, which even people with ADHD should be able to go through without a problem.

And most people should've come to expect ads in their installers too. It's not hard at all once you consider that with a giant colorful image is a logo for a toolbar that you didn't ask for, with the words "would you like to install the x toolbar?" in large text.

I'm not defending the guys that made the whatever toolbar "virus". I don't like anyone that makes toolbars for anything beyond personal use to be honest, I don't like the guys that make badly made trojans either. It's just that you're blaming all this on CNet and CNet alone, they didn't make the toolbar and they certainly don't enforce or endorse it, they got payed just like how everyone else's toolbars got featured.

Not quite. In that example you're blaming it more on the virus itself than on the media of distribution (that is, downloading porn). Now in this argument, you've never even mentioned the virus as being the threat here, you've just been going on about how bad the media of distribution is (CNet's installer).
View all replies