Thursday, May 31, 2012

Download.com Serves Malware To Customers.
It's easier to fall further down a hole
than to crawl back out again.

--
[Updated 2012-05-31 @ 11:45 pm EDT]


The Windows side of Download.com has ruined its credibility in recent months thanks to its General Manager and V.P. Sean Murphy turning the site into a malware rat hole. At least that is the message from an April 24th article at Insecure.org:


Download.com Caught Adding Malware to Nmap & Other Software


Quoting from the article:

In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.
(The bolding is mine in order to point out the apparent culprit-in-charge).

If this report is factual, the self-destructive behavior of CBS's CNET Download.com website is particularly disturbing to me as I have known the guys at VersionTracker for several years. Today I wrote to the creator of VersionTracker for clarification and he replied:
I don't know what they do on the Windows side as I'm not part of that group but I do know nothing gets wrapped or added to files on the Mac side.
I can verify that there is no evidence implicating VersionTracker's Mac software downloads. I am constantly running anti-malware on my Macs as part of my studies of computer security. None of the Mac software I have downloaded daily from VersionTracker has been infected with any form of malware. I am loathe to advise avoiding the VersionTracker aspect of Download.com. 

Nonetheless, anyone concerned about maintaining maximum Mac security might wish to consider using another software download website. Despite its own ethical failures, I can equally recommend MacUpdate.com

(Note: MacUpdate has, IMHO, been a deliberate and persistent marketing pawn of ZeoBIT, the shameful developers of MacKeeper. This problem has been made evident by MacUpdate's tolerance of ZeoBIT paid 4 and 5 star MacKeeper review bombing. I should point out that the VersionTracker has tolerated the same paid positive review bombing. Of course, compromised user reviews are a trivial issue next to infecting customer downloads with malware).

Sigh. 
The Spirit of the Age in business remains: 
Abuse Thy Customer.

No wonder our human world is stuck in an ongoing, long term economic depression. :-P


Thankfully, I continue to have faith in VersionTracker's Mac download sub-site over at Downloads.com.
--

Thursday, May 10, 2012

Chaos In The Field Of Anti-Malware

--
Today I wrote a comment in response to an article at ZDNet by my colleague and anti-malware collaborator Ed Bott.


The subject of Ed's article brought to mind my main discomfort with the field of anti-malware. When I started studying the subject back in 2005, I was expecting something professional, along the lines of my extensive training in science. Instead I found the field to be remarkably chaotic.

Here is the comment I posted in response to Ed's article:

Common Terminology, Scientific Approach
As an amateur in the field of Mac malware and writer about the subject since 2007, I've consistently found that the anti-malware community, particularly the anti-malware business, is unscientific and uncooperative. It's full of contention with people arguing over what means what, who named what first, whose malware naming convention is the best, on and on. The result is a chaotic mess that obviously confuses anyone casually trying to understand what's going on. There is no overview organization for the field. There is no peer review. There are some standards, but breaking those standards is the rule.
Therefore, when casual viewers mess up their terminology or make incorrect emphatic statements, I tend to be forgiving. If the anti-malware community really was scientific by nature, I'd take a stricter view. But it's not. Therefore, casual viewers are going to get things wrong without having any thoroughly reliable source of information from which to gather knowledge or opinions. 
For example, I had a conversation with the owners of a software download site on the net a couple years ago which revealed they had no comprehension of common terminology applied to malware. Every malware was a 'virus' to them. In turn they were sharing this misunderstanding with their users, who in turn repeated the same misinformation within their social circles.
As an example of pointless contention between anti-malware companies, why did Kaspersky have to come up with its own name for a Mac Trojan horse series, 'Flashfake', for what had already been published as 'Flashback' months ahead of time?
In this field, confusion is inevitable.

Maybe with time and experience, the field of anti-malware will mature. Meanwhile, we flounder.
--