Avatar (Fabio Alessandro Locati|Fale)'s blog

Download.com bundles malware in downloads

December 6, 2011

Gordon Lyon (also known as Fyodor), the creator of Nmap, sent an email yesterday to the Nmap mailing list pointing out that the C|Net Download.com website is altering Nmap downloadable files injecting malware into them. It’s also possible that other files delivered by C|Net Download.com are also subject to the same problem.

This event is a very problematic one since it will create a complete loss of trust toward Download.com. It also reminds us of a critical aspect of security: all chain steps need to be secure and trusted.

There is a point of this whole incident that is unclear to me: how could an event such as this happen? Someone has undoubtedly proposed such a change, and the company management has approved it. How can a person think that the company will get away with it, with no one noticing? The problem in those kinds of events is that it is enough if a single person (Fyodor in this case) will notice it and share his findings, and from that moment forward, everyone will know, and therefore no one will trust the company anymore. It feels to me like a hazardous move.