CNet download.com is apparently packaging their own trojan along with legitimate software.
The story broke wide open when Nmap creator Fyodor discovered this was being done with his software (http://insecure.org/news/download-com-fiasco.html). Nmap is a free network discovery and security auditing tool, and is part of the toolkit used by many security professionals.
CNet's download.com site is a popular site for downloading free software. With CNet's choosing to insert a trojan along with the software installer users request, potentially millions of computer users could be exposed.
In this particular instance, when a user downloaded Nmap, CNet included their own installer, which would make changes to the user's default search engine and browser home page. Not only is this disingenuous at best, it violates the license under which Nmap is released. CNet has since removed their trojan code from the Nmap download, but it remains in effect on their site for other software packages, likely thousands of offerings.
Even if CNet, which is owned by CBS (yes, the broadcasting CBS) chooses to reverse course, it highlights an issue that many security professionals have been warning about for years. That is, how can you be certain that what you're downloading is really what you requested? This has been a common occurrence with illegal copies of copyrighted software, movies and music, whereby users illegally download them and also get a bonus piece of malware. Serves them right.
But it is troubling to see what up to now has been viewed as a standup company engaging in the same conduct as purveyors of malware. Hopefully CNet/CBS will realize the error of their ways, stop including trojan installers and clean up their act. Otherwise, the market needs to make the decision for them and let them wither on the vine.
