Slashdot Mirror
Norton Users Worried By PIFTS.exe, Stonewalling By Symantec
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.
Many default with the "Do not ask again" option checked, so once you click through...
(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
How come you didn't mention the NSA's backdoor into NAV?
For shame, sir, for shame.
Sent from your iPad.
I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.
Specialization is for insects. -Heinlein
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
Nope. They can get malware. The difference is that an exploit doesn't need to take off in the wild for Linux to patch it, which is more than you can say for Microsoft.
I'm amazed at the kool-aid Microsoft has customers believing -- that it is actually a third party's responsibility to protect them from Microsoft's shoddy code.
Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)
Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.
Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.
My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.
throw new NoSignatureException();
I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
Tried to register at their forums with login 'pifts and got this:
Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...
Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.
Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.
Steve's Computer Service, Hobbs, NM
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...
Please help metamoderate.
Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
The difference is how linux gets rootkits. It nearly all cases I have seen it is due to poor security/vulnerabilities in a web/ftp,etc server. NOT from clicking on a random link / putting in a USB stick / just being on the internet. I personally haven't ever seen a Linux desktop with a virus. Windows spreads virus's in the same way AIDS spreads.
As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Actually malware compatibility helps Microsoft sales. Around 80% of Windows sales are new PC's with Windows pre-installed. If Windows was properly secure and stable it wouldn't get hosed within 6 months and need wiping / reinstalling. Many people don't know how to do this so they either pay to get their Windows fixed, or assume they need a new PC.
On the "use another OS" point, I already do.....and I feel left out that I won't be able to experience this latest suspicious .exe. Sometimes I miss that fun.
Given the way Norton are running around trying to silence the reports I'd guess it is something they hoped they could slip in and nobody would notice, which in itself is a dodgy position for a company who's entire business is based on "trust us to protect your interests from dodgy .exe files". As a company who rely on the internet for customers (no internet? vastly reduced flow of malware) they really should know better than to assume they can silence a story like this by putting lots of staff on "deleting forum posts and replies" duty. Bloggers and sites like this one will be all over it, and like anything else, trying to cover it up will make you guilty to many observers who don't read the details or updates to the story.
Perhaps Norton have fallen for their own ego and have started to make assumptions on what they can get away with. How many people install Norton by choice? I'd bet most of their customers are new PC owners with shareware Norton which tells them after a while to "pay up or remove", and they don't know there are alternatives, let alone better and cheaper / free alternatives. Like AOL they'll have a high customer turnover as people gradually realize how bad their product is, and find (or be recommended) an alternative one. As long as there are plenty new chumps who are new to computers they will have new revenue to replace the disillusioned. When that starts to dry up, Norton are gonna be fucked, not unlike AOL.
Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).
Avast is pretty good... you can switch the nag screen off.
FUD at it's best! This is what you get when your primary news source is 4chan.
The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.
The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
When I first saw this here, the first place I looked for additional information was the Internet Storm Center, where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.
Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:
In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...
While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.
Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
What I don't understand is that I got the PIFTS.EXE warning from McAfee, not Norton. I originally had an OEM Norton installation on my notebook PC, but immediately removed it, months ago, as our corporate standard is McAfee. But it seems that the removal was far from complete; on closer examination there's still a Norton process and service running, and apparently these triggered an update and the subsequent McAfee alert. So my question is, what is a Norton process doing on my computer, when I ran the default uninstall routine and it terminated normally?