Slashdot Mirror

← Back to Stories (view on slashdot.org)

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

Posted by timothy on from the and-nobody-saw-me dept.

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

10 of 685 comments (clear)

  1. They used to get it. by rashanon · · Score: 5, Informative

    A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.

  2. Do ** NOT ** search Google for pifts.exe !! by AftanGustur · · Score: 5, Informative
    Two top Google results are to sites which will try to infect your PC with malware.

    The first one links to a blank page which will redirect in about 20 seconds to a malware site.

    The second one is immediately flagged by Firefox as being a "Reported attack site".

    This slashdot article is possibly a attack on the /. community.

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  3. Zone Alarm boards info by D3 · · Score: 5, Informative

    http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903

    --
    Do really dense people warp space more than others?
  4. Re:Do ** NOT ** search Google for pifts.exe !! by drsmack1 · · Score: 5, Informative

    Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/

    --

    Humor from a Genetically Molested Mind

  5. Re:Rootkit? by Henk+Poley · · Score: 5, Informative

    Somebody traced the execution, and linked it here:

    http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5

    Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.

  6. Re:Strings in PIFTS.exe by vadim_t · · Score: 5, Informative

    Some interesting things in there:

    Software\Symantec\InstalledApps
    \PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}
    Norton Internet Security
    SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
    SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine

    This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.

    http://stats.norton.com/n/p?module=2667

    Interesting, it reports stats to Norton somewhere, perhaps?

    &product=%s&version=%s
    &e=%d.%d.%d.%d
    &e=-1
    &f=%d.%d.%d.%d
    &f=-1
    &g=%d
    &g=-1
    &h=%d
    &h=-1
    &i=1
    &i=0
    &j=%s

    This seems to pretty clearly point to that an URL for a GET request is created for some purpose.

    PifEng.dll

    So there's a .DLL too, did anybody post that one?

    %s %d-%d-%d %dh%dm%ds.log

    There may be a .log file somewhere, named with a timestamp

    The ping url is %s

    Something that might appear in the log file, perhaps? What is it pinging, and why?

    d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb

    Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.

  7. Nothing dangerous... by Manip · · Score: 5, Informative

    I have a copy of PIFTS.exe now and am examining it.

    Notes:
    1) It is small
    2) Internally it is a "patch tool" from patch "021809db"
    3) The Operating System function calls it makes are generally non-threatening
    4) It accesses the registry (Norton products) and does some kind of date based validation

    My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.

    It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.

  8. Re:Strings in PIFTS.exe by vadim_t · · Score: 5, Informative

    Replying to myself,

    On reddit there's a link to a decompiled version.

    It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.

    So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.

  9. Re:Windows Users Beware... by daenris · · Score: 5, Informative

    Original submitter of the article here (wasn't logged in last night). Clever maybe, but not the case. I got the popup from Norton last night asking me to allow or block this executable's internet connection attempt. It was around 10 o'clock I believe. The inital few threads on Norton's forum were completely legitimate and no one was throwing around conspiracy and virus accusations. The problem started when Norton mods started deleting the threads, and blocking the people who posted them from creating more. About 1:30 I went to bed, having found nothing concrete. At that time there were a number of posts around the net, most notably the Zone Alarm forum (since Norton was deleting things). At that point the Norton boards weren't being raided by 4chan at all -- that happened sometime overnight/this morning.

    The file is real -- I can send you a copy if you'd like -- and appears to be part of some Norton update. Really the only problem here, and what triggered everything was that Norton was trying to delete any mention of it from their forums. As many others have pointed out, this leads me to believe that either the file is something Norton doesn't want in the open because they're tracking/doing something they don't want us to know about (tracking personal info, rootkit, whatever) or that somehow the Norton update was compromised and sent out a file that they're desperately trying to cover up/fix.

    I haven't disassembled the file, but I was looking at it in a hex editor last night when I noticed all the ascii "PADDINGXX" at the end of the file, which strikes me as odd and doesn't seem to have a readily available reason to be in a legitimate file. There's no more code after the PADDINGXX sections, so it seems to be there only to ensure that the executable is a specific size.

  10. Re:Windows Users Beware... by daenris · · Score: 5, Informative
    And the Washington Post has updated to include comments from Symantec

    Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

    "We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

    As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

    "We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

    In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.

    Of course, the problem with that justification for deletion being that 4chan spamming didn't start until sometime overnight or this morning. Hours earlier several completely legitimate question threads had been deleted with no explanation.