Download.com accused of wrapping nmap in a "trojan installer"

Download.com's installer has a "special offer", just click accept The author of the network scanner Nmap has accused CBS Interactive and CNET's Download.com of wrapping the open source application in a proprietary installer. Download.com is a popular download site for both open source and proprietary applications. In the past, it has offered untouched downloads of applications from its servers, but over the last six months that has changed. According to Gordon "Fyodor" Lyon, who details his issues in a posting to the Nmap Hackers mailing list, the installer "does things like installing sketchy 'StartNow' toolbar", changes the default search engine to Bing and sets the home page to Microsoft's MSN.

Lyon describes this as the actions of a "trojan installer" and backs the claim up by showing that if the installer is unpacked and sent to VirusTotal it reports that ten of 42 scanners identify it as a trojan or adware installer. He also points out that the Nmap trademark is displayed next to offers to install the software, "as if we somehow endorsed or allowed this". He notes that this also breaks the licence of Nmap by wrapping the program in a proprietary installation program. Nmap is, he notes, not under the plain GPL but under an enhanced version which specifically prohibits aggregation into a proprietary executable installer.

Download.com says its scheme is simple for developers to opt-out of: those that object to their software being bundled should email cnet-installer@cbs-interactive.com; the opt out is not automatic though. Download.com says "all opt-out requests are carefully reviewed on a case by case basis". Lyon is seeking a US copyright attorney and is looking to spread word to the hundreds of users who download Nmap from Download.com every week, "so that nobody else falls for this scheme".

This is not the first time the operation of CBS's Download.com site has been called into question. In August, ExtremeTech noted similar behaviour with the VLC media player. The Download.com installer software has been rolled out since July 2011 according to an FAQ from CBS. In a statement in October, Sean Murphy, Download.com VP, said "we understand that the model currently in market is not optimized for all of the Download.com community", but that "it is our #1 priority to evolve the Installer model so that developers benefit in a host of meaningful ways, and have direct influence over how users experience it."

(djwm)