Bundling Toolbars, Trojans?

It wasn’t long ago that I felt comfortable recommending CNET‘s as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.

Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.

CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted’s zero tolerance policy toward all bundled adware.

Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.

The CNET download installer that I got for Nmap from was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.

Lyon said CNET is violating Nmap’s distribution license, which bars any distribution that “integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield.”

“Of course the problem is that users often just click through installer screens, trusting that gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer,” Lyon wrote. “Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!”

Nmap isn’t alone. Wireshark, another free and widely-used network analysis and security tool, also was being bundled with toolbars through That is, until Wireshark open source director Gerald Combs sent CBS a cease and desist letter.

Combs said had been distributing Wireshark since the early 2000s, back when it was still known under its former name, “Ethereal.”

“It is a little ironic, that you’re downloading these security tools but [] makes you run through this gauntlet of crapware to get them,” Combs said.

Interestingly, CNET does not offer the download installer for “registered users;” those who are registered are offered a direct download link. Also, it appears that software makers who pay CNET to have a “premium listing” can avoid the installer being bundled with their offering.

The CNET download installer will still let users decline the toolbar installations, but the default is of course to install the software. I have asked CBS for comment on the apparent discrepancy between’s no-adware policy and its practices, and will update this blog post when I hear from them.

As I was researching this, I found that I’m a little late to the party on this one. Thanks to that ExtremeTech post, I found this link, in which CNET explained part of the rationale for rolling out this download installer, in a blog posting on July 25, 2011:

2. Why is making this change?

Our testing has shown that as many as half of all people who initiate a download fail to complete the download and install their software. The Installer improves the process by stepping the user through their download and enabling them to more easily find and execute your software’s installer. Other download sites employ similar solutions, but we believe that ours provides more security and utility as well as better consumer protections.

3. How does the Installer improve the download experience?

By downloading with the Installer the user is guaranteed that the file they install on their system came directly from Only software that is tested spyware-free and hosted on’s secure servers may be delivered via the Installer.

In addition, thanks to the clear steps provided by the Installer, the percentage of users who are able to complete the download process increases significantly when using the Installer for their downloads.

Finally, is supported primarily by advertising, and we include offers for additional downloads from advertisers as part of our Installer process. Unlike other download sites that employ similar ad-supported technologies, however, our Installer is limited to a single offer that is carefully screened to ensure compliance with the Software Policies.

4. Is all software on delivered via the Installer?

No. The Installer was rolled out in July 2011 to a limited number of Windows software downloads. At this time we are still evaluating its performance and incorporating feedback from the user and developer communities.

There you have it, readers. If you’re unhappy about this development, let CNET/CBS know how you feel. These toolbar deals no doubt have the potential to earn CNET a lot of money: is a very heavily visited site, and according to Alexa it is the 174th most-visited site on the Internet. But CNET should be more consistent and up-front about its adware policies, or risk losing that ranking in a hurry.

In the meantime, it’s always a good idea to download software directly from the source whenever possible, and to pay close attention to the prompts during the installation process.

Оставьте комментарий