Slashdot Mirror
Norton Users Worried By PIFTS.exe, Stonewalling By Symantec
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
The first one links to a blank page which will redirect in about 20 seconds to a malware site.
The second one is immediately flagged by Firefox as being a "Reported attack site".
This slashdot article is possibly a attack on the /. community.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903
Do really dense people warp space more than others?
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431 unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/
Humor from a Genetically Molested Mind
No it's not it's silently collecting stats. Check out: http://stats.norton.com/n/p?module=2667&product=NSW&version=200.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91
Give it bad input, and you will see that it's just a Tomcat server that takes REST URIs.
PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm
Somebody traced the execution, and linked it here:
http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5
Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.
Here are the strings: http://pastebin.com/m1e207a78
Strings is available from sysinternals. If you ask me, it's cute and funny when MS-Bashers put their foot in their mouths before doing any research to back up their snide comments.
Norton discussion boards appear very slow.
You mean disabled after seeing that moderators can't keep up with the posts about PIFTS?
have you been defaced today?
I've seen code like that before. In my days working as a digital forensics dude, the text at the beginning appears to be the text that happens to be part of an image, most likely a jpeg or bmp (but the FF D8 FF jpeg header wouldn't show up, and the BM bitmap header doesn't appear). The last part indicates that it most likely has a gui of some sort that it doesn't want to reveal. There doesn't appear to be any packing involved.
However, what's really interesting is the inclusion of this line: http://stats.norton.com/n/p?module=2667
Line 1677.
Above that? Hints to the pif engine in the registry. It'd be worth it to check out whats in those registry keys as well.
Anywho, looks to be part of the personal internet firewall, but the fact that its rootkitted means that any and above is just conjecture and we're all doo
P.S.
I should mention I was banned from the forum a few minutes ago - hence my anti-Norton Forum bias.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
If that really were the answer I could almost respect it... I mean really, it works pretty well for the CIA.
Try not to take me more seriously than I take myself.
Some interesting things in there:
This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.
Interesting, it reports stats to Norton somewhere, perhaps?
This seems to pretty clearly point to that an URL for a GET request is created for some purpose.
So there's a .DLL too, did anybody post that one?
There may be a .log file somewhere, named with a timestamp
Something that might appear in the log file, perhaps? What is it pinging, and why?
Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.
I've read a lot of reviews (Gizmo freeware, for example) : http://www.techsupportalert.com/best-free-anti-virus-software.htm which don't support this view.
Kaspersky seems to not have won out too well recently too.
Can you post a link to back up your argument?
Conversion Rate Optimisation French / English consultant
I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.
The Freelance Wizard
I have a copy of PIFTS.exe now and am examining it.
Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation
My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.
It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.
I won't disagree that NOD32 is an excellent scanner... but AVG is certainly not "the worst". I don't know where you get your data from, but at http://www.av-comparatives.org/seiten/home.html (follow Comparatives, then On-demand to get to the chart) you can see that AVG got 94.3% detection. Avast was slightly better than that at 97.3%. NOD32, interestingly enough, got a 93.0% detection. I'm not saying AVG or Avast is better, but with that information you can't say it's "the worst" either.
I've had far better experiences with AVG and Avast on my machines, as well as my customer's computers, than McAfee (84.4%) or Trend, for example. I've only experienced 1 virus in the recent past (a rootkit, no less) that was not cleanable by AVG/Avast... had to do that manually. On that machine, the virus got in past McAfee... for what it's worth.
Anyway, so with the data above... what's your reference for saying that AVG is "the worst"?
Replying to myself,
On reddit there's a link to a decompiled version.
It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.
So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.
That's a good idea. Although this coding horror post is about a year old, it's a note on how much anti-virus software slows down your machine. Norton leads the pack with an amazing 46% slower boot, 20% slower CPU, and 2400% slower disk access time.
Coding Horror: Choosing Anti-Anti-Virus software
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
No, Symantec Endpoint Protection is just as crappy. It's not Norton level of shit but it's there. It still likes to eat CPU cycles for no reason and randomly crash. Also, as added feature, it marks many Windows Network tools like Angry IP Scanner, Blues Port Scanner and Ethereal as "Hacking tools" or other such garbage. Makes diagnosing problems with users PC quite entertaining as I get to box with Virus Scanner on top of everything else.
The PADDINGXXPADDING is just a standard artifact of the Visual C++ build process - there's a manifest XML string that's added to the .exe (for 'side-by-side' DLL dependency handling), and padding is added for some internal alignment requirements. (This article says the UpdateResource API is what adds that string). So it's nothing unusual or suspicious.
Symantec Caught in Norton Rootkit Flap
"Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."
http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/
not that i've been to Norton's forums or anything, but i would assume by registering on Norton's forum, you agreed to their TOS which probably state they can censor anything they want and ban anyone they want for any reason.
*checks the forum rules at Norton*
Hmm...maybe the argument could be made, but it wouldn't be a very strong argument. To make the argument would require such an insane stretch of their Participation Guidelines that I don't think anyone will accept an official explanation for the deletion of posts.
Honestly, I think it'd be easier to make up with a reason for PIFTS.exe than it would be to make up a reason for deleting the forum posts on it.
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
1. Most reviews on the Internet are pure crap. Either they are shills, paid and/or unpaid, or they are lifted from and/or linked from other sites related to whatever site you happen to be on at the moment. Search for reviews, and you will find many that are verbatim the same. Either site ops snarf them from wherever to fluff their lame pages, or people mass post, pasting the same thing in over and over. Niiice. I know, there are reputable sources for reviews. At least until they get found out either taking favors for favorables, or being lazy and reviewing products a month before release.
2. I ditched Norton last year at home - all gone. The first time in at least 19 years, I think, that I haven't had a Norton product on at least one of my machines. AVG is doing at least as well, which is to say that if my wife didn't click on those IQ tests and 'vote now' links, my machines would be free of nasties. A pox on their souls.
Picking a review site is my least favorite task. Hate it.
Oh, and I use my Linux boxen to browse 'questionable' sites. Seems they don't get infected. Or, if I'm really scared, my phone. hehe, let them attack that. The G1 Steel browser doesn't seem to get infected either if I set the agent to 'Desktop'. harrr.....
deleting the extra space after periods so i can stay relevant, yeah.
Disable the HTTP scanning module (which is recommended anyway on webservers). I think it hooks into the TCP stack it so it can scan things which will never be written to disk as they enter your PC - eg javascript files used by webpages etc. You don't really need that module for it to work effectively though.
I fucking just LOVE it when people post "information" which is not backed up by any source or link or anything.
http://www.virusbtn.com/news/2008/09_02
Here are the latest results I could find. Note that AVG is NOT the worst by far. The free version only suffers in it's lack of detection for malware but the GP did not say the the free version was installed. Now Avira comes out smelling like a rose in these tests so of course they are recommended but AVG is also very good.
Actually, last time I installed AVG that was turned off by default.
Original submitter of the article here (wasn't logged in last night). Clever maybe, but not the case. I got the popup from Norton last night asking me to allow or block this executable's internet connection attempt. It was around 10 o'clock I believe. The inital few threads on Norton's forum were completely legitimate and no one was throwing around conspiracy and virus accusations. The problem started when Norton mods started deleting the threads, and blocking the people who posted them from creating more. About 1:30 I went to bed, having found nothing concrete. At that time there were a number of posts around the net, most notably the Zone Alarm forum (since Norton was deleting things). At that point the Norton boards weren't being raided by 4chan at all -- that happened sometime overnight/this morning.
The file is real -- I can send you a copy if you'd like -- and appears to be part of some Norton update. Really the only problem here, and what triggered everything was that Norton was trying to delete any mention of it from their forums. As many others have pointed out, this leads me to believe that either the file is something Norton doesn't want in the open because they're tracking/doing something they don't want us to know about (tracking personal info, rootkit, whatever) or that somehow the Norton update was compromised and sent out a file that they're desperately trying to cover up/fix.
I haven't disassembled the file, but I was looking at it in a hex editor last night when I noticed all the ascii "PADDINGXX" at the end of the file, which strikes me as odd and doesn't seem to have a readily available reason to be in a legitimate file. There's no more code after the PADDINGXX sections, so it seems to be there only to ensure that the executable is a specific size.
No, and that is exactly what I'm saying. That is not a virus (something that propagates itself without user intervention).
Something that requires social engineering (lure of porn in this case) to get the user to run it is something else altogether. And like I said there is no way to protect any platform from the user who chooses to download malware and run it.
As the island of our knowledge grows, so does the shore of our ignorance.
Though, another commenter pointed out that the PADDINGXX thing is a legitimate side effect of some Visual Studio compilation. Haven't gotten a chance to check on that, but if that's the case then I'm definitely just leaning on the "legitimate file that for some reason Symantec didn't want us to ask about" train.
After you did the Add/Remove Programs, how did you get rid of Norton Antivirus programs?
If you believe that this actually removed them, then you are very, very wrong.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Symantec has responded - see this article:
http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html
Padding is often used to make the section of an executable line up with a boundary of some sorts. 4kb is pretty common. Most of the time you will see 0s all the way to the end of the file, sometimes with the last few bytes being a path string to the pdb file. Replacing those 0s with "PADDINGXX" like in this case is nothing to get worked up over.
Of course, the problem with that justification for deletion being that 4chan spamming didn't start until sometime overnight or this morning. Hours earlier several completely legitimate question threads had been deleted with no explanation.
Link to symantec forum post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39119&query.id=294747#M39119
Sorry, copied the same link twice. Here's the other:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123
Ride the skies
Symantec has (finally) responded with a sticky on the forum from "davecole".
It's a statistical reporting tool that is normally included in patches, however due to an internal screwup, it was not signed. Because it was unsigned, the firewall looked at it quite skeptically.
They also attempt to explain their actions on the forum; from their description, it sounds like a typical Ebaums/YTMND raid. Their admin response was to carpet bomb the forums with bans and deletions indiscriminately. I don't think this is very professional of the admins; it reminds me of how Habbo responded back in the day. When you're the mouthpiece of a company that size, you should know that a overly aggressive response to a raid will do you more PR damage than just letting it go.
Legalize recreational marijuana. Seriously.
I won't post anonymously. I am in the security field, and I have no current agreements with anyone which would preclude me from agreeing with the quote above.
In my opinion the quote above is not that far off base. It's not exactly a backdoor though, as federal law enforcement agencies do not need back doors to install ML or any number of other sprojans (spy trojans) on Windows machines. While I will absolutely not get into the specifics of how this dll works, I will say this:
Imagine a big honkin' SGI-O2-blue (the type of blue, not the type of machine) refrigerator in a rack, plugged directly into a core router on a big internet hub (or even a small one) and munching down every single packet it sees and analyzing them for routing and content. That's Carnivore.
Now imagine someone's brain beginning to work and realizing that really the most efficient way to see internet traffic is not to do deep-scans on the service provider side, but to instead do all that data harvesting locally on the physical node in question and sending the results periodically offshore (where all domestic spy material must stop first, by federal law) where they're combed through by any number of security people working for the man.
That second one is not Carnivore. It's a much, much more serious matter.