UltraVNC

[B]

Please let everyone know -- CNet / ZDNet / Download.com / CBS Interactive is NO LONGER TO BE TRUSTED. They now wrap adware/spyware trojans around otherwise legitimate files!

CNet is no longer a safe place to download files. We have in the past recommended them as a "mirror" location to find UltraVNC.

Apparently they've turned evil, and are now requiring their own useless "installer", complete with adware!

And YES, they're doing it to UltraVNC too!

I almost can't believe it.

I only noticed because I was searching out a driver for a Sony Eyetoy webcam, and there are really no big name sites that carry it, except for DriverGuide, which has always been kind of a shady site.

At first I was relieved to find a copy of the "EOCP" driver at CNet... until I noticed the file was named "cnet_wb0_9_311007_INSTALLER_zip.exe" and was much smaller than the other drivers I found on the net.

(For more on a working SLEH-0030 EyeToy driver please see viewtopic.php?f=7&t=28693 )

Guess what? The "UltraVNC" program there is ALSO just 444 KB, and is renamed "cnet_UltraVNC_1_0_9_6_1_Setup_exe.exe"

Complete with the double .EXE suffix so loved by older malware writers!

The only news report I found about this awful turn of events is at

http://www.ghacks.net/2011/08/17/the-cn ... installer/

http://gbatemp.net/t305444-cnet-downloa ... try3843509

According to VIrusTotal and Jotti.org, the following antimalware programs report the CNet malware as:

ByteHero 1.0.0.1 2011.08.20 Trojan.Backdoor.Gen.a

DrWeb 5.0.2.03300 2011.08.20 Adware.Zugo.38

Jiangmin 13.0.900 2011.08.19 Trojan/JmGeneric.bmo

Rising 23.71.03.03 2011.08.18 Suspicious

[Dr.Web] 2011-08-20 Adware.Zugo.38


Please let everyone know -- CNet / ZDNet / Download.com / CBS Interactive is NO LONGER TO BE TRUSTED. They now wrap adware/spyware trojans around otherwise legitimate files!

(For what it's worth, I noticed they do NOT seem to do that to the TeamViewer installer or some other popular program. Perhaps this is some kind of extortion racket too, where publishers have to pay CNet to get a clean listing?)

I suggest we order CNet to remove their unauthorized trojanned copy of UltraVNC from their site.

As an alternative, Softpedia still seems clean, and offers their own "secure" download as well as uvnc.com mirrors, all free and without BS "installers". (Strangely they list UltraVNC as "Ad-supported / FREE" which doesn't seem quite right.)

[Rudi De Vos]

Added notice on our download section
http://www.uvnc.com/downloads.html

[Oliver]

Folks, this could of course be true, but I think it may very well be a false alarm as well. Even false positives spread quickly inside the industry. One would have to look at an actual example in detail in order to see whether this is actual malware.

Either way wrapping it in some own installer is iffy in my opinion.

[B]

It's not a false alarm; CNet doesn't deliver the file you requested, but instead forces you to accept their "downloader" first, like many less reputable (and sometimes malicious) sites before it.

But yes, the individual malware flags and trojan IDs (as reported by the various antivirus engines) are NOT the issue to me either. I was alarmed before I even submitted the files for analysis. Even if they had come up "clean", it's the replacement of the desired (and stated) file with an unexpect CNET-branded (and adware pushing) installer/wrapper that is inexcusable and unethical behavior on CNet's part. (In my opinion!)

[Oliver]

It's not a false alarm; CNet doesn't deliver the file you requested, but instead forces you to accept their "downloader" first, like many less reputable (and sometimes malicious) sites before it.

But yes, the individual malware flags and trojan IDs (as reported by the various antivirus engines) are NOT the issue to me either. I was alarmed before I even submitted the files for analysis. Even if they had come up "clean", it's the replacement of the desired (and stated) file with an unexpect CNET-branded (and adware pushing) installer/wrapper that is inexcusable and unethical behavior on CNet's part. (In my opinion!)

Fair enough. I guess working in the industry and seeing false positives regularly got me a bit skeptical

[B]

Of course, I understand. And most of the ID strings were for "generic" trojan detection, so they COULD easily be false positives (hey, it happens to VNC all the time).

Anyway, the adware CNet's currently bundling, Babylon Toolbar, has some manual removal instructions at http://forums.spybot.info/showthread.php?t=61869

Apparently it also installs in Firefox without permission, and can be difficult to remove: http://www.technology2days.com/tag/baby ... r-firefox/

Naturally, they may be bundling something entirely different by the time one reads this. (CNet, if you're listening, just dump the installer trick; it's very poor form and devalues your entire "spam".)

[StefanFintea]

As an alternative, Softpedia still seems clean, and offers their own "secure" download as well as uvnc.com mirrors, all free and without BS "installers". (Strangely they list UltraVNC as "Ad-supported / FREE" which doesn't seem quite right.)

Hello,

Softpedia offers clean installers (as provided by the producer), so thank you for recommending us.

UltraVNC is listed as Ad-supported because of its sponsored link/banner:


I hope this will clear things up.

Best regards,
Stefan Fintea
Softpedia Senior IT Manager

[Rudi De Vos]

Just some clarification, it's not adware in the pure sense that the ad is needed to make it working.
But there is an ad...so it could be considered as adware

For thoose people who don't want to see it, you can disable it....

1) command line -disablesponsor
2) registry HKCU\\Software\\ORL\\VNCviewer\\Settings\\sponsor
3) Or via the option panel

[B]

Right... what's funny is that the sponsor ad doesn't appear unless there's a problem (Stefan's screenshot is of an error box). I don't think any other software does it this way.

When UltraVNC is working properly nobody ever sees that ad!

Anyhow, thanks for stopping by, Stefan.

[danbaver]

Hello.

I noticed this yesterday when installing WordWeb onto an image that is going to be used in an elementary school lab setting. I was a little taken aback, and most definitely denied the installation of the Babylon Toolbar. It doesn't appear that anything else has been installed.

Has anyone noticed it installing anything else that could compromise my image? I'm thinking I might just start from scratch after reading this and omit WordWeb... it far from critical.

[B]

CNet seems to claim or imply that nothing else gets installed if you deselect their adware, but I have no idea. Honestly you should probably ask them.

Also, it looks like your software has a mirror you could try at MajorGeeks.

[B]

Some more press on this under-reported issue; apparently they've also been doing home page hijacking for Microsoft Bing and pushing the "StartNow" adware toolbar:

http://lifehacker.com/5833597/downloadc ... installers

http://www.extremetech.com/computing/93 ... otivations

http://news.ycombinator.com/item?id=2910554

http://blog.chron.com/techblog/2011/08/ ... ou-wanted/

Oh CNet, what's become of you... I stopped going there for tech news 5 or 10 years ago, but THIS.... they're not even a viable download site any more.

[tecknight]

I agree 100%, this issue is VERY underreported !!!
I am very surprised one of the big news outlets did not pick up this story, because to me, this is a real travesty !!
They are not even offering your file until/unless the user accepts the @#%%$ malware first !!
This is SO wrong !!!
Thank you for the info !!!

[raglady]

Thank you for the info, Softpedia seem to be more "clear"than them.

[supercoe]

Add http://www.brothersoft.com to the list, I noticed today they've sold out in the same way.

[B]

"Brothersoft" has been turning up with fake or malicious links in Google searches for a long time; I don't know that I ever trusted them for anything.

[supercoe]

Gotcha, I don't use them on a regular basis but during some google fu today I noticed that they were doing the download manager thing as well.

[maxxxpower]

That sucks. I used to be able to get cool stuff from Cnet.

[CaitPes81]

This is very disappointing. I used to really trust everything from download.com no I just have to spend more time looking for safer sites to download from.

[Peter.Butler.DLcom]

Hello there, UltraVNC community.

After receiving and reading a large amount of feedback about the new Download.com Installer, we've identified three main sources of questions and confusion:

1. The security and safety of the Download.com Installer software itself
2. The security and quality of the included offers in the the Download.com Installer
3. Download.com's rationale for using the Installer

1. The Download.com Installer does not include any spyware or malware, nor do any of the offers included in the Download.com Installer. The Download.com Installer is optional and does not install anything to your computer, nor leave behind any components when deleted.

We have worked with security publishers to ensure that the Download.com Installer conforms with the necessary standards of security. There are a very few products that identify the Download.com Installer as malware; we believe those results are false-positive detections, and we are working hard to correct those problems by providing access to the Installer to security publishers and tweaking it as necessary to meet their guidelines.

2. The Download.com staff vets every offer included in the Download.com Installer to make sure that they all meet our standards of acceptability. We have reacted quickly to negative comments about offers from our users, and we will continue to do so. Additionally, we are actively working with our network of software publishers so that we can continue to add new, quality offers to the Installer flow.

3. The Download.com Installer is designed to make installing software easier for our users, and to grow our business so that we may continue to invest in new, more efficient means of distributing software around the world.

Research and user feedback indicates that many people who download software don't or can't install it. One consistent installer logo for all software from Download.com allows users to easily find and launch the software that they have downloaded. The Download.com logo and installer also demonstrate that the software has been fully tested and found secure.

Thank you for the feedback thus far. We are very interested in what our users and developers have to say, and we look forward to hearing more as we iterate on this new feature.

Cheers,
Peter Butler
Senior Catalog Manager
Download.com

[B]

Ludicrous!

"The Download.com Installer is optional and does not install anything to your computer, nor leave behind any components when deleted."

The "installer" doesn't INSTALL anything? It's "optional" but you can't get the program you want without running it? What kind of new level of corporate nonsense is this?

I'm sure you're aware that the terms spyware and adware long ago became inexorably intertwined (security professionals see little or no difference). CNet's installer's reason for existence is to deliver adware, and thus the installer itself is reasonably called Spyware.

Nearly every program CNET offered (or has ever offered) for download ALREADY INCLUDED its own installer. You are fooling absolutely no one.

There is absolutely no VALID reason to do what you've done, other than your apparent desire to destroy your spam. But thanks for stopping by and trying to stem the bad press resulting from your hostile actions against your previous user base. I expect your recent download stats are reflective of your new spyware status?

[Oliver]

I'm sure you're aware that the terms spyware and adware long ago became inexorably intertwined (security professionals see little or no difference). CNet's installer's reason for existence is to deliver adware, and thus the installer itself is reasonably called Spyware.

True, but from my time at Lavasoft I can tell you that tagging something one or the other usually means walking a very fine line. Unlike with "real malware" (with which I deal at FRISK nowadays) spyware and adware are in a grey area.

@Peter:

1. The Download.com Installer does not include any spyware or malware, nor do any of the offers included in the Download.com Installer. The Download.com Installer is optional and does not install anything to your computer, nor leave behind any components when deleted.

Optional but default, right?

I just tried to download WinDirStat of which I am the current maintainer and I couldn't really find an option to get the download without your installer. The next release of WDS, for example, will be signed with my own Authenticode cert and therefore a wrapper rather disguises that information, don't you think?

3. The Download.com Installer is designed to make installing software easier for our users, and to grow our business so that we may continue to invest in new, more efficient means of distributing software around the world.

Research and user feedback indicates that many people who download software don't or can't install it.

From feedback of WDS users I concur. The problem, more often than not, seems to be PEBKAC.

One consistent installer logo for all software from Download.com allows users to easily find and launch the software that they have downloaded. The Download.com logo and installer also demonstrate that the software has been fully tested and found secure.

This actually does make sense to me, however, wouldn't something along the lines of the Ubuntu software center just for Windows be a better choice? Because from what I see your installer doesn't really solve a problem for adept users, only for those who are insecure.

Adept users would probably love a package manager of a kind where they would get update/upgrade notifications for their favorite software instead of having to do that in every single piece of software. I for one would love it. The package management on Debian/Ubuntu is one of those major advantages those systems have over Windows and nothing is in sight that would change the situation for the better (on Windows) ...

Edit:
@B: the installers from CNET are signed. So they are kind of betting their reputation that the contained software is clean.

[supercoe]

Funny, I see that UltraVNC no longer downloads the cnet downloader and direct links to the setup file but TightVNC (and other software) isn't this way... was this changed because of our complaint here?

Although we appreciate a good discussion on any topic it will be hard for you to explain how the cnet downloader is a good thing for anyone but you. Especially in a community dedicated to free opensource software!

Don't get me wrong, we all make money with advertisements on our websites (some more than others) and I'm fine with that.
I get why you want to screen adware to your standards and push it on people with this tool, this is a way you make your business work.

My problem is that you are preying on people to stupid to uncheck a box which according to my standards is just plain wrong.
All you've done is pissed off users such as myself from ever using/recommending your site because:
A) It's 444kb more to download, one more file to delete and another set of next,next,uncheck adware,next,finish
B) Why would I want to confuse someone further by giving them more options of stuff they clearly would not want installed if they understood what was happening.


Research and user feedback indicates that many people who download software don't or can't install it.
Explain how adding ANOTHER set of menus before launching the installer is helpful?
Your tool doesn't help the user install the intended software at all it simply launches the installer after offering crapware. (which by the way could have been done with a much smaller executable)


One consistent installer logo for all software from Download.com allows users to easily find and launch the software that they have downloaded.
Except when the user has 10 of them in their downloads folder and they all start with "cnet_". yea... that makes it much easier....


Sorry to sound hostile but what you've done is a fine example of the worst thing you could do in the entire existence of computer software and is a cue to everyone that's seen it before that you are going down.
A real bummer, instead of evolving download.com into a great tool like in Olivers example you've turned it into something to hate.


Also, I think it's neat that this forum attracts enough attention to make you want to explain your side!

[B]

Yeah, Oliver, I was going to mention the PEBKAC problem and why this spyware installation wrapper is so far from any real solution to that, but that subject gets muddy pretty quickly, trying to draw the line between user education and freedom versus just locking them out completely (a la Apple). It's somewhat of a Catch-22 -- anyone ignorant enough to need CNet to launch an installer for them really shouldn't be randomly installing software in the first place. (Ironically the whole value of CNet in the past was that it really WAS a fairly trustworthy place for newbies to acquire software.)

It's not even as if CNet gives you an application that presents an app store or apt-get repository / directory through their trusted app. (I like that idea of yours, and I think there have been rumors that MS is going forward with that?) You can't even use it browse for software. Instead, you're downloading a new copy of the spyware wrapper EACH time you try to download a distinct piece of software -- it's just worthless.

Anyway, interesting to learn you work for Frisk. I am an old time F-Prot fan but haven't worked with their engine in years. (The USA licensing was very weird when I last checked it out, with several distributor flavors as well as a direct option.)

[Oliver]

Don't get me wrong, we all make money with advertisements on our websites (some more than others) and I'm fine with that.

Nope ... not on any of my sites to be precise.

Explain how adding ANOTHER set of menus before launching the installer is helpful?

Actually he did. Consistent logo and they're signing their wrappers.

Except when the user has 10 of them in their downloads folder and they all start with "cnet_". yea... that makes it much easier....

Fair point, but then I rarely ever downloaded from CNET in the past (too complicated for my taste).

It's not even as if CNet gives you an application that presents an app store or apt-get repository / directory through their trusted app. You can't even use it browse for software. Instead, you're downloading a new copy of the spyware wrapper EACH time you try to download a distinct piece of software -- it's just worthless.

I think there is added value in the logo (for those needing it) and certainly in the signing, because since Vista the UAC dialog will show "happy blue"

... but the added value is small indeed and whether it offsets the toolbar installation (default: checked) is questionable.

@Peter: I got many many offers to bundle our WinDirStat installer with toolbars et al. Besides the fact that most of these mean more gain for the toolbar vendor than for the project, I have resisted it because of sentiments similar to those B and supercoe are expressing. There has only been one offer I liked. That one was basically "recommending" other freeware, shareware or FLOSS as a step before the installation. That is: I as the author decide which software I also use and want to recommend (and that's a long list including even some shareware) one of these would be picked and "offered" during installation. Haven't decided to go for it, but it's certainly a friendlier model than the one we see from CNET.

Anyway, interesting to learn you work for Frisk.

Dang. Now it's out

@Stefan, Peter: added you as full members despite your post count, so you can make full use of features such as private messaging.

[B]

It's not even as if CNet gives you an application that presents an app store or apt-get repository / directory through their trusted app. (I like that idea of yours, and I think there have been rumors that MS is going forward with that?)

Ah, here, it's called the "Windows Store", for both normal and "Metro" applications, but apparently Windows 8 only.

http://www.pcworld.com/article/239994/w ... o_far.html

So a good multiplatform 3rd party app store, particularly for clean freeware, seems like a natural.

But this sure ain't it.


Edit: Side note to Oliver- personally I would understand if you bundled relatively benign and easily opt-out crapware. I would still HATE it, and it would make me somewhat less likely to recommend your stuff, but I would understand if it weren't egregious. (I still install PDFCreator because it's great, but I have to warn people about the adware.) The real problem is the overall slippery slope, where eventually everything is out to get you, all the damn time. Anyhow, those are developer decisions. This CNet/Download.com spyware installer is a whole separate level, putting in crap out of the control of the actual developers and screwing them out of any of the proceeds, at least as far as I know.

[supercoe]

So what happens if a developer chooses to bundle the Startnow toolbar for financial gain?
Does the cnet Startnow toolbar get to take over since it was forced in there first?

How "fair" is the cnet approved crapware when the developer is pushing the same thing?

Maybe I'm way off but in my field I see this type of software constantly fighting to take over the browsers. (which obviously leads to revenue)

[Oliver]

Maybe I'm way off but in my field I see this type of software constantly fighting to take over the browsers. (which obviously leads to revenue)

Nah, that's easy. They co-exist peacefully

See here: http://blogs.law.emory.edu/elsit/files/ ... ess211.jpg (accompanying article)

[B]

FINALLY some more mainstream attention to this ongoing travesty. Took 'em long enough.

http://news.slashdot.org/story/11/12/06 ... e-software

It's also interesting to note that Peter Butler of CNET/Download.com/CBS hasn't bothered to engage in any dialog here since his one-shot post above.


Edit: Hmm, a poster there points out this is a Slashdot dupe; apparently they previously discussed it two days after we reported it here... http://tech.slashdot.org/story/11/08/22 ... -bloatware


...and now it's crept over to Fark, who just link to the August ExtremeTech article. http://www.fark.com/comments/6791868/Do ... s-your-mom

[Oliver]

http://www.h-online.com/open/news/item/ ... 92501.html