Slashdot Mirror
Norton Users Worried By PIFTS.exe, Stonewalling By Symantec
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
We are here to protect you. You can trust us.
It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.
Many default with the "Do not ask again" option checked, so once you click through...
(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
"I searched this forum but did not see PIFTS.exe. Any idea what this is?" That's the sound a leaky firewall makes.
you could always use a system where you dont need norton.
How come you didn't mention the NSA's backdoor into NAV?
For shame, sir, for shame.
Sent from your iPad.
Let's begin the conspiracy theories:
Ping Internet For Time on Slashdot?
Don't worry about it. It's just the Privacy Invader From Team Symantec.
Possible
Information
For
Terrorist
Sleeper cells
Therefore...Norton* = Terrorist.
*the slashdot user "Em Emalb" does not seriously think Norton supports terrorism, in fact, if the pounding on his door is any indicator, neither does Nort...)&(^#%)*&#^ stoptazingmePeterNorton! OWWW! Sonofa...that thing stings bro.
Sent from your iPad.
I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.
Specialization is for insects. -Heinlein
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
P = Purposely
I = Introduced
F = File
T = Thieving
S = System
I am dumbfounded that someone who reads slashdot is stupid enough to have the home version of Norton on their computer. It is a complete POS and offers similar benefits to dragging an anchor behind your car.
And it is not exactly doing a great job of catching viruses either: http://mtc.sri.com/live_data/av_rankings/
Humor from a Genetically Molested Mind
PIFTS = Personal Internet Firewall Tracking Service?
That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
If that's true, Symantec must be dumber than I thought if they provided a backdoor to a firewall that allows said firewall to warn the user.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
Law of what country? Norton installs it even if you are outside USA? And what about other vendors? All US-based ones should have that backdoor?
How you can ever trust in windows security if even the security programs must have backdoors? How many time we should we wait till seeing malware taking advantage of all those backdoors to go around hidden from security programs?
Just switched from Norton to AVG this weekend. Pure coincidence. Honest. I had no advanced knowledge this was coming or anything. ;-)
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
The first one links to a blank page which will redirect in about 20 seconds to a malware site.
The second one is immediately flagged by Firefox as being a "Reported attack site".
This slashdot article is possibly a attack on the /. community.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)
Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.
Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.
My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.
throw new NoSignatureException();
Symantec, if you made a mistake, just admit it. Let people know and tell them about the issue, the controls you put into place to fix it and the mechanisms you enacted to ensure that it does not happen again. Mistakes happen, and people will understand, if you are honest and forthright. But, if you keep dodging the issue and there really was something there, you can rest assured it will come to light and then people really will be angry and question their trust. Do the right thing. Tell people what happened, right away!
Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903
Do really dense people warp space more than others?
I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
Tried to register at their forums with login 'pifts and got this:
Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...
I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)
PIFTS is the sound of their market share with the excellent way they are treating their customers.
I know I would be removing this from my machines.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.
Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.
Steve's Computer Service, Hobbs, NM
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
If only this was open source software. We could look and see what it is and what it is doing. In the closed software model you only even know it exists because it screwed up and told you.
What sort of response are you talking about?
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I can think of a dozen unix/linux rootkits without even trying. Just because it's harder to install them, doesn't mean it's impossible. If you think you don't need to run any sort of security software (not Norton, of course, because they suck), then one day you're going to have a very very rude awakening.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431 unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.
So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.
and you are his _____. I first heard of Norton in the 80s, and his tools were a trusted commodity, but this latest episode means the "suits" have taken over and you can never trust the suits.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
People still use Norton? Why on earth would anyone do that?
Mod this up guys! A lot of links seem to be redirects to malware sites containing FakeAV etc..
Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/
Humor from a Genetically Molested Mind
For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...
Please help metamoderate.
No it's not it's silently collecting stats. Check out: http://stats.norton.com/n/p?module=2667&product=NSW&version=200.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91
Give it bad input, and you will see that it's just a Tomcat server that takes REST URIs.
Be warned, it looks like some scareware sites are trying to exploit the situation.
Check out the first couple of sites on the Google results: hillhaven.com.au and 2009031004.peziueued.xorg.pl. Both of those run classic scareware scams to get you to try and run and install something onto your machine.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
"inside info from a friend that works there" is not a source any more than "I know a guy who knows a guy" is a source. I'm sure you could name this friend and tell us where he works. Oh, but wait, let me guess - *THEY* might get him, right?
I am scientifically inaccurate.
PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm
Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
Here are the strings: http://pastebin.com/m1e207a78
Wow, you managed to uninstall Norton A/V in less than 48 hours????
Oh, yawners. People, please don't believe the troll and think for two seconds before posting angry rants about the gubmint. Much easier to get this sort of thing inserted at Redmond.
[FUCK BETA]
More information can be found at http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html. There's a lot interesting comments on there as well.
It seems that it sends data to http://stats.norton.com/n/p?module=xxxx where xxxx is an integer. http://stats.norton.com/n/ requests auth from a tomcat server, for "statistics" Just thought this was a bit odd. Perhaps they have a nice web interface to aid in their world takeover.
This is not a viral sig. Copy it at your peril.
Law enforcement from where? A lot of us don't live in the USA, so they have no legal right to install bullshit like that on our computers... (not that I think they do anyhow without a warrant)
It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.
I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.
That said, I'm tired of this dribble. Unix (in the industrial versions) had / has nearly no viruses or malware because there were very few people using it in total numbers. There was and continues to be little to be gained by writing a virus for these systems: no press coverage, no botnet of millions of computers. It doesn't pay. It isn't worth the effort. Same for Linux: the market is still too small. Same used to be true for MacOS, but that's starting to change as it increases in popularity.
Contrast this with Windows boxes that are so ubiquitous that a half-talented virus writer has a decent chance of getting their malware into hardened sites like the Pentagon through social vectors (eg, an absent-minded worker who uses a USB key on both home and work computers by mistake).
Linux has no viruses because the market is too small. To think that it is immune to attack from malware is naive at best, and, more probably, self-deceptive. If Linux starts to enjoy 10, 20 or 30 percent market share, we will see Linux-targeted malware become a common nuisance. We already see Firefox-specific browser exploits (but for Windows boxes). FOSS isn't somehow magically immune from nuisance teenage activity or out-and-out criminal intent.
So, please, enough of the holier-than-thou attitude.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Check to see if Digg and Reddit are counting diggs and ummm reds? accurately. (I think they're not) Check to see if it makes the front page on any major site, then is quickly sidelined. Most importantly DO WHAT NERDS DO BEST and dissasemble this thing as soon as possible! You'll be looking to see what it's looking for and who and how it sends it.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Perfectly Innocent Firewall Testing System
I know a guy who knows someone who dated the sister of someone at symantec, and lets just say, they're going to team up with Starbucks To Begin Sinister 'Phase Two' Of Operation
how many desktop linux users have virus's? As said previously it is nearly poor security/setup in a webserver that allows you to get root'd.
Well done... you've switched from the 2nd worst anti virus scanner, to possibly the WORST antivirus scanner. I just hope to God it isn't the free version which is worse than useless. AVG has the worst detection rate of any AV product.
Why don't people read reviews before buying software? I won't post any links to specific reviews, because someone will say I've cherry picked the source of the review, so just google it. I think you'll find that AVG (especially the free edition) usually comes LAST and things like NOD32 and Kapersky usually come out top (of these two, I personally prefer NOD32 as it seems to have an extremely low impact on system performance).
Strings is available from sysinternals. If you ask me, it's cute and funny when MS-Bashers put their foot in their mouths before doing any research to back up their snide comments.
Not saying that GP is not a hoax, but...
Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
Because Microsoft probably has more money and lawyers to throw around than the FBI etc.? Antivirus companies are smaller and therefore probably easier to bully around.
As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Not saying it's true, but the most obvious reason I can think of would be so that law enforcement can write root kits that act like known viruses without Norton flagging them.
Rules of Conduct:
#1 - The DM is always right.
#2 - If the DM is wrong, see rule #1
Is people still seriously running anything Norton or Symantec in their computer as means of "protection"?
I thought it was common knowledge that their "programs" are complete and utter crap.
Ubuntu is an African word meaning 'I can't configure Debian'
Get this through your thick skull: It doesn't take admin level holes to do damage. A dumb user is a dumb user, regardless of OS, and a good chunk of malware does only normal application level calls.
Somebody traced the execution, and linked it here: http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5 [reddit.com]
Got that from a reply in the first thread. I can not guarantee its accuracy though
One smart programmer != one smart company.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
when the last norton app i installed got full control of the computer OVER me back in 1990s, i swore not to let name 'norton' or 'symantec' anywhere near my computer again. i never regretted that decision. and i saw a number of friends suffer from not taking the same decision later on.
you get what you pay for. it seems that you paid for a rootkit from a bastardly company that doesnt 'reduce' itself to customers' level to inform them what their software is actually doing, and you got it. enjoy.
Read radical news here
I always second the NOD32 idea - easy to administer, you hardly notice it's there until it catches something. I guess you never know what your antivirus misses, but it always tests well and at least it's not making things worse!
AVAST antivirus... free to home users... use it... its better than nothing... and waaaay better than NOD32 or AVG...
Pay no heed to the rootkit behind the curtain!
Love, Symantec
I've read a lot of reviews (Gizmo freeware, for example) : http://www.techsupportalert.com/best-free-anti-virus-software.htm which don't support this view.
Kaspersky seems to not have won out too well recently too.
Can you post a link to back up your argument?
Conversion Rate Optimisation French / English consultant
I'll look at NOD32 then. I ditched AVG for Avast, but since I only use windows for gaming (one game, actually) it's far too annoying when that goddamn nag screen pops up nightly, ripping me out of guild wars to tell me that I can pay for the nag to go away and get extra email protection. *eyeroll*
I logged into my box as root, did a 'find / -name PIFTS.exe -exec ls -l {} \;' and got no results back, which means my Linux box apparently isn't vulnerable to whatever exploit that file makes possible.
I did similar from my 'nix partition for my 'doze partition which does have Symantec AV, but pifts / PIFTS etc don't exist. My guess is a lot of people got third-party rootkits, and they think Norton did it just because it's in Symantec's folder and polls Symantec. Could be an attempt to DDOS and smear Symantec. Of course Symantec isn't helping with the deletions. Given the time of day, it's probably Indian customer service managing the forum deletions, and overreacting.
I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.
The Freelance Wizard
But surely posting this on /. is a bit like putting another padlock on fort knocks as surely no one in here would even think of using Norton (Unless we are talking classic motor bikes obviously).
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I have a copy of PIFTS.exe now and am examining it.
Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation
My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.
It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.
I won't disagree that NOD32 is an excellent scanner... but AVG is certainly not "the worst". I don't know where you get your data from, but at http://www.av-comparatives.org/seiten/home.html (follow Comparatives, then On-demand to get to the chart) you can see that AVG got 94.3% detection. Avast was slightly better than that at 97.3%. NOD32, interestingly enough, got a 93.0% detection. I'm not saying AVG or Avast is better, but with that information you can't say it's "the worst" either.
I've had far better experiences with AVG and Avast on my machines, as well as my customer's computers, than McAfee (84.4%) or Trend, for example. I've only experienced 1 virus in the recent past (a rootkit, no less) that was not cleanable by AVG/Avast... had to do that manually. On that machine, the virus got in past McAfee... for what it's worth.
Anyway, so with the data above... what's your reference for saying that AVG is "the worst"?
> Linux has no viruses because the market is too small
Well, even assuming this is the only reason (a bit questionable due to the situation with web servers), exploits usually are not particularly portable. And since each distribution compiles their own version, Linux reaching 50% market share actually might _not_ be enough, but what you would need might actually be a _single version_ of a _single distribution_ reaching 50%, which is far less likely.
Avast! has no nag screen that pops you out of game, though it does have an irritating talking box that pops into the lower right corner to tell you when it updates the VDB or software... fortunately it just takes about 10 seconds and then you're done.
Try not to take me more seriously than I take myself.
You know there's a setting to make it check for full screen applications before popping up any notices right?
Also, if you register it, the nags go away. It does require you to give them an email address but I've never gotten any other mail from them.
Nothing to see here
Just waiting for Norton to pop up and say.... "Dear Honorable Sir or madam I am writing to you from Norton Nigerias headquarters. Please advise you have been awarded Nortons prize fund of one million thousand dollers please enter your account details below to receive funds in due course."
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows.
One thing I can think of is emulated systems where people run Windows software on non-Windows environments. I'm not sure how good it would actually be, but that would be my first thought as to why to go in to the security products.
If the environment is good enough to run a Windows products, it'll run the flaws most likely. Someone might have the bright idea of putting an AV in it.
People have done and been successful sometimes in doing crazier things.
The other thing is maybe the stuff in the security products is providing other features the stuff in the main OS isn't.
~~ Behold the flying cow with a rail gun! ~~
I've seen so many of the posts on the "Symantec sucks" theme. Okay, if it does, then what tools do you recommend in an established Windows shop where moving to open source is not currently an option (a manufacturing shop where the production machines were coded by their manufacturers to run only on Windows)?
I use irony whenever I can, but my shirts are still wrinkled...
If that is all, it sounds quite benign for going through the whole effort of hiding it so well.
You wouldn't believe how many computers I've had to do virus cleanups on, that were "protected" by AVG. I always replace it with Avast, and they never have any problems after that.
Serious? Seriousness is well above my pay grade.
Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
> Can you post a link to back up your argument?
Yes, but I won't for the reason I already said.
I HATE the fact that AVG incorporates something called LinkScanner which scans websites you've not even visited yet for potential threats. The side effects of this are that it messes up your web stats and causes fake 'clicks' on pay per click adverts! This practice should be illegal in my opinion. On one particular day, I noticed that AVG LinkScanner was causing 96% of the traffic to my webserver but I had no way of blocking it as it uses a standard user-agent string. AVG have apparently partially removed this feature now thankfully, but I still wouldn't touch their product with a barge-pole. The only thing in their favour, is that when I rang them up to tell them about the linkscanner problem, a human answered straight away and they seemed genuinely concerned and were quite proactive at trying to help me alleviate the symptoms on my webserver.
Someone also brought me a computer to fix which had 8 separate pieces of spyware and two viruses on it. The computer was running AVG Free Edition 8.0 and was fully up to date. With this experience, I don't need a review and pretty pictures to tell me AVG is shit thanks...
The Norton Forums are now offline.
http://skitch.com/ecrist/b8t5e/forum-maintenance
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
You owe me one keyboard and monitor mine now has coffee all over it.
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
This is why we need additional mod options. I have points, but there's no option for "Interesting, if it's true" or "thanks for the info, but since there's no way to validate, caveat reader."
It's really easy to get bullshit modded up because of the number of people who say "I didn't know that, thanks". How many of the +4 so far are "+1 because it's true" vs. "It's news to me"?
For windows it gets a little easier, specially on pre UAC ones, you just need to plug in a virused USB flash drive and booya, you got a filthy virus... ... or a vulnerability in well, just about anything - since they all run in root-
It is perfectly possible to have a Linux/free/open/bsd/os/x system compromised but things in their design make it unlikely. It is also less likely that you would be a victim of a target-less attack - the sort of thing that makes even home windows users require an AV - But it is still possible to get attacked by someone that specifically wants to access YOUR system. To protect of this you require tools and also a set of security procedures, but most likely avoiding a) exploits. And b) giving access to users without good care of their permissions. An enterprise level Linux setup or a server must for example avoid rushing into major version changes and to always keep to date in regards to security updates.
If you run ubuntu/fedora/suse/etc at home, setting a firewall would not hurt, try firestarter.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Two things:
A question Linux users do not have to care about.
I dumped M$ operating systems years ago due to this same reason, among others. Many windoz programs are wired to "call home" with your personal data. Even the Windows OS phones home when you are not looking, or at least is designed to. I circumvent this by either locking my firewall or unplugging the cat5 connection when running windoz, and doing all my internet work from within Linux.
This programmed-in behavior might be benign, but I still don't trust the corporate mentality to design products this way.
Although Linux is not the silver bullet of perfect safety and security, it is light years ahead of the M$ software solution in this regard. I am not a complete Linux fanboy, but believe boycotting M$ is the right choice for those that believe that computing should equal freedom and not being pwned by the dark corporate overlords.
The Mac, BSD, Linux all offer an alternative to M$ lock-in. I run Debian Lenny as a GUI desktop full time, it's every bit as good as XP. Have also been working on a FreeBSD install, but after 3 weekends, still don't have a working desktop. It looks promising but a newbie would have given up after an hour.
"Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
...trolling Slashdot subscriber...
Isn't that redundant?
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
Mac OS X already has 10% market share, but still there is not a single one virus for it.
Malware that requires social engineering to get deployed does not really count. No platform is immune from stupid user.
As the island of our knowledge grows, so does the shore of our ignorance.
http://pcdserver.shacknet.nu/Downloads/PIFTS.txt Is the dump of what happens when I disassemble it back to code. Has some interesting imports: +++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++ Number of Imported Modules = 8 (decimal) Import Module 001: KERNEL32.dll Import Module 002: USER32.dll Import Module 003: ADVAPI32.dll Import Module 004: ole32.dll Import Module 005: SHELL32.dll Import Module 006: OLEAUT32.dll Import Module 007: VERSION.dll Import Module 008: WININET.dll as well as some other interesting information, check it out maybe someone can tell me from this what its trying to do.
Market share is not a strong algorithm. Aka IE6 not anymore has 99% of the market share, yet it still holds the 99% of the server attacks. There's about a 9% of non-windows OS marketshare yet still 99.99% of the viruses target it, odd?
A virus that just waits the user to execute it and then dumps his /home folder is possible in the *n*x* crowd, but the real problem are, and have always been rootkits. The real threat are viruses that are not noticeable and just install themselves on the OS while attempting to infect other hosts, without this there are is no large scale crisis of OS.
Still, lack of a market share dominance is a good advantage, hence we should probably push for a world in which no OS has an advantage as large as windows' it would reduce the worm threat greatly.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
ever try getting a response from the slashdot crew?
Ever had a thread deleted by the Slashdot crew?
Precisely.
-FL
Symantec Caught in Norton Rootkit Flap
"Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."
http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/
Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).
Avast is pretty good... you can switch the nag screen off.
I'm sure it's pretty profitable, in some way, to infect web hosts and the like. A majority of web hosts run Linux. Therefore Linux is already a target. A pretty big one, if you ask me.
So please explain to me why they're going to target desktops instead of servers.
Yes, a dumb user is a dumb user, but you must agree: it's much harder to mess up riding a tricycle than a bicycle. They're both vulnerable to flipping over but it happens that tricycles have safety measures built-in to prevent many things from happening while riding.
Really? The very second? I didn't realize that 50% is some sort of magic virus number that you have to pass before you get viruses. So to solve the problem of viruses, all we have to do is make sure that no operating system has over 50% market share? Brilliant!
Unix systems (including Linux) have been one of the primary targets for viruses and trojans for years. This is because they run so many servers, and tend to run on big iron, in big companies, those machines are very tasty targets. Oh, and because a virus can target many platforms since Unix systems are very similar.
The reality is that Linux is not target by the bzillions of dumbass trojans that assume the user is running as an administrator and will install anything so long as it has a dancing hamster or something. Most Unix systems are virtually immune to those types of things. Vista is now too (mostly) so really, their days are numbered.
Market share only really affects trojans, which are not as much of a problem for Linux. So I say: bring it on.
Well thanks!
But now find me a free antivirus scanner I can legally use in a non-profit work environment that also has an active scanner?
AVG and Comodo are really the only two, and if you've tried Comodo's new nonsense (or tried to uninstall it), you'd realize its much worse than AVG as far as usability goes. I had to reinstall windows cause it borked it so bad.
1. Most reviews on the Internet are pure crap. Either they are shills, paid and/or unpaid, or they are lifted from and/or linked from other sites related to whatever site you happen to be on at the moment. Search for reviews, and you will find many that are verbatim the same. Either site ops snarf them from wherever to fluff their lame pages, or people mass post, pasting the same thing in over and over. Niiice. I know, there are reputable sources for reviews. At least until they get found out either taking favors for favorables, or being lazy and reviewing products a month before release.
2. I ditched Norton last year at home - all gone. The first time in at least 19 years, I think, that I haven't had a Norton product on at least one of my machines. AVG is doing at least as well, which is to say that if my wife didn't click on those IQ tests and 'vote now' links, my machines would be free of nasties. A pox on their souls.
Picking a review site is my least favorite task. Hate it.
Oh, and I use my Linux boxen to browse 'questionable' sites. Seems they don't get infected. Or, if I'm really scared, my phone. hehe, let them attack that. The G1 Steel browser doesn't seem to get infected either if I set the agent to 'Desktop'. harrr.....
deleting the extra space after periods so i can stay relevant, yeah.
Great to see that at least one blog I emailed last night picked up on this bullshit. Pretty much everyone else has beat me to the punch as far as what it does. Good job to everyone else.
Disable the HTTP scanning module (which is recommended anyway on webservers). I think it hooks into the TCP stack it so it can scan things which will never be written to disk as they enter your PC - eg javascript files used by webpages etc. You don't really need that module for it to work effectively though.
So this story on Slashdot was a hoax? http://apple.slashdot.org/article.pl?sid=07/11/01/1855259
The truth is that all men having power ought to be mistrusted. James Madison
FUD at it's best! This is what you get when your primary news source is 4chan.
The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.
The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Wrong.
OS X is now up to anywhere between 8% and 15% market share, depending which statistics you want to believe, and it has started to become a target. The magic number certainly isn't at 50%, probably more like 20%.
Assorted stuff I do sometimes: Lemuria.org
Seemed like Symantec was one of the better AV/Security developers for windows for a long time, but recently - within the last 6 months or so - they seem to have just tanked in terms of credibility.
First it was them getting rid of customer services and now it's ignoring virii and security vulnerabilities.
Fun times.
Ave Molech Setting
Thanks for your reply.
As I think you know, one single solution isn't going to cut it. Probably it's best to trial web scans, other products and specificially targetted spyware / trojan detectors alongside specific products, and to watch the market carefully.
You also can't tell (unless of course you ran a full scan with AVG) whether the user proactively scanned using the product, or just failed to understand that on-access scanning is one link in the chain of security.
As for link scanner, I totally agree. An utter crock of shit.
Conversion Rate Optimisation French / English consultant
I fucking just LOVE it when people post "information" which is not backed up by any source or link or anything.
http://www.virusbtn.com/news/2008/09_02
Here are the latest results I could find. Note that AVG is NOT the worst by far. The free version only suffers in it's lack of detection for malware but the GP did not say the the free version was installed. Now Avira comes out smelling like a rose in these tests so of course they are recommended but AVG is also very good.
Actually, last time I installed AVG that was turned off by default.
/ yet another smug, uninfected Linux user.
I just hope to God it isn't the free version [....]Why don't people read reviews before buying software?
I think you answered your own question, there :P Of course it is the free version, which explains why the reviews wasn't important.
Anyway, how does one "hope to God"? I am not a religious man, but I though the procedure was to pray to God and then hope.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
Because detection rate is not the one and only criteria. The conversation was more about footprint on the system than how many things it is able to detect.
"But this one goes to 11!"
It's an expression, which occurs on over a million pages in Google. But you're right... I only used it because I've heard it so many times and I've never actually realised that it doesn't make sense :)
Avast! has no nag screen that pops you out of game, though it does have an irritating talking box that pops into the lower right corner to tell you when it updates the VDB or software... fortunately it just takes about 10 seconds and then you're done.
You can turn that off (program settings/update(basic)/details/silent).
As the parent points out, just as soon as Linux reaches an appreciable market share it will be getting administered by users who don't know, or don't care, about security. Once this happens it won't matter even in the slightest how secure, or not, Linux is in comparison to Windows. There will be viruses and there will be infections. The inescapable thing that all operating systems have in common guarantees this; the weak point in the security between the seat and keyboard.
If Linux developers ignore this fact they'll be ensuring the inevitable is even messier than it needs be. Fortunately, I don't think most are that blinded by complacency.
Just to make sure my last post gave the right impression - I was also pointing out the same thing. rootkits/virus's do exist - it is servers that are targeted - generally as they hold important information (linux servers are widespread also..) and they are infected by a vulnerability in the webserver rather than in the OS. Linux desktop users are pretty safe due to both the design and the low usage. Also the amount of different versions of libraries, etc in each of the 100's of distribution would make it harder to target. The worst security flaw I have seen in Linux was the splice (root access for normal user) bug. My home setup is pretty secure - I run iptables rules which blocks all outgoing/incoming traffic except certain ports, I also connect through a Linux ipcop firewall/gateway with snort enabled. No need for Norton here ..
I totally agree. It's possible they have an overzealous forum team? It's possible they're embarassed by this "anonymous usage tool", and making a bigger deal out of it then anyone would have had they been honest? Maybe they plan to use it to shut off pirated copies of Norton and don't want to tip off the pirates?
Regardless of what it actually is, the fact that they didn't make the right forum response demonstrates at best substantialy unprofessionalism. And, quite likely, some sort of cover up.
As Already pointed out, this is a strategy the "bad guys" are using to distribute malware more effectively. They have managed to exploit Google's page rankings to elevate their malware distribution pages to the top results for currently popular search terms. I experienced this recently through one of my users -- they had searched Google for new regarding the asteroid that passed close to Earth recently.
The exploit sites seem to be harmless if your browser is even remotely secure. For example, a patched IE7 with FDCC configuration is OK until you click something, at which point you get prompted to run/save "install.exe" or whatever they are pushing.
I was scared to test IE7 with the default config. :-/
Firefox with NoScript turns their pages into very boring text with links that go nowhere.
The domain for these malware sites seems to be "*.xorg.pl"
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
Which is weird if true, because I am running the Corporate version from the University where I work, and I have not noticed the pifs.exe file on any of my machines yet. i assumed this was a non-corporate version problem only. So has anyone out there running the corp version noticed this file on their systems? I am running Symantec Antivirus Corporate ver 10.1.6.6000.
"But this one goes to 11!"
You don't have to pay for it; by "registering" it, he means to go to their web site and give them your e-mail address. I downloaded it, registered it (for free), and I haven't gotten any e-mails from them either. If you don't want to give them your e-mail address, just give them a mailinator address. The only "nag" screens I get are the ones that tell me that the virus database has been updated, and I could disable them if I wanted to.
Macs are high profile, why are there no real world viruses for them?
LAMP easily accounts for 50% of websites, where's the huge attacks against it?
You're modded insightful, and I know why, but that doesn't make you RIGHT.
I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.
...
So, please, enough of the holier-than-thou attitude.
Yes. Enough, please...
Wrong. As another response points out, with linux's extremely high penetration in the server market, where servers tend to have a ton more bandwidth (and confidential data, for that matter), linux should be the primary target for viruses.
But for various reasons (non-mono-culture, in addition to better default security in the OS *and* most apps written for it) the best way found so far to hijack linux machines is attempting to crack common username+password combinations.
If you have any linux box with SSH open to the internet, you should know that these password attacks happen non-stop, all day every day. On every linux box I've admined. So the demand is obviously there, but the OS and the security culture around the OS is making it much more difficult.
Of course there's also a large difference between attacking desktops and servers, since desktop attacks often require user interaction, and server attacks have to be automated. But it's still easy to think back and notice a trend in even automated exploits on windows servers, where there haven't been (successful?) exploits on linux boxes.
Essentially, linux is secure enough that the only successful method of attack so far has been the user-stupidity point-of-entry, bad passwords.
Two of the biggest reasons linux has proved so (relatively) impermiable are the lack of a software mono-culture, and the existence of an easy target in Windows.
Even when Windows Server has had a smaller share of the server market, it's still been targeted by numerous (successful) automated attacks.
(and just to repeat the obvious, no OS is impossible to write viruses for or otherwise exploit, and I'm sure there are viruses for every OS out there. The real question is how many successful large scale attacks have there been on each - and successful large scale attacks have as much to do with monoculture and time-to-patch as any internal OS security policies)
(also it looks like my slashdot ID is lower than yours, do I win the EPEEN contest?)
So, what do you recommend as an alternative? Certainly Norton is poop, and Kaspersky's product makes my system slow as molasses. I sure hope I can get some Linux running on this system, and bypass the whole issue again.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Avast is the only AV software I know of with an interface shittier than the new one in AVG.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
When you use proprietary software, you don't really know what's happening on your system.
If somebody happened to notice a suspicious process on a Linux box, it'd have been the question of 15 minutes to figure out what package the file belongs to, get the source, take a look at it, and find out what it does and why is it there.
Instead what we have here a mess with some people coming up with conspiracy theories, Norton refusing to acknowledge the issue, and people trying to figure out what this thing does by looking at the output of strings without much success so far.
Things are much easier when source is available.
When I first saw this here, the first place I looked for additional information was the Internet Storm Center, where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.
Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:
In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...
While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.
Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
It isn't worth the effort. . . Linux has no viruses because the market is too small.
Sure I agree this is a factor, but dosn't the fact that unix-like OSes have a well-integrated and enforced system of permissions and trust have at least something to do with it?
I, at least, tend to think it is a both/and situation: the combination of the difficulty of writing something that can effectively compromise linux systems coupled with the low pay-off for the effort gives us our current state of having (practically) zero linux malware in the wild.
Of course there are other factors that can be mentioned too, like the typical Linux user's being more computer-savvy than the average Windows user, making them less open to techniques reliying on social engeneering. But still one has to ask whether part of this isn't built in to the system--Linux requires a user to have a certain level of knowlegability (e.g., knowing how to use svn and make) and jump thorough certain hoops (setting execute permissions) to do certain things that might be dangerous while making it trivial and safe to do common things (e.g., installing a package from a trusted repository) The last example is a nice highlight on the point: Installing from an official repo is easier than installing from a non-trusted 3rd party repo where again you need to have a certain level of know-how and think about what you are doing. This is very different from the windows model where installing directly from third parties is the typical way to install software and where it is always the user's job to determine who to trust.
I'm not being a fanboi (I know it has vulnerabilities, and I know the lack of market share is a huge factor), I just think there is something to calling Linux more secure than just the marketshare.
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
IANAP (I am not a priest) but I would imagine one would "hope to God" by thinking/saying/communicating to God "Gee God, I really hope [fill in the blank] happens/doesn't happen."
DISCLAIMER: I am not a religions person by any means, and was just making an educated guess. Offer only good at participating stores. Limit one per customer. Your mileage may vary.
"But this one goes to 11!"
or 2
Pentagon Information File Transfer System
Pentagon Initial File Transfer Study
(Captcha: "detector")
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
I don't have a web site, so how is it going to mess up my web stats?
Illegal, because someone decided to use clicks as their measurement? Why not make a better technology that doesn't suck so bad, instead of legislating?
No, and that is exactly what I'm saying. That is not a virus (something that propagates itself without user intervention).
Something that requires social engineering (lure of porn in this case) to get the user to run it is something else altogether. And like I said there is no way to protect any platform from the user who chooses to download malware and run it.
As the island of our knowledge grows, so does the shore of our ignorance.
I used to recommend NOD32 but not anymore, given these tactics. Tried it and confirmed it for myself that they were doing this. I use Avast on my Windows box, and although it uses more resources than NOD32, it's not nearly so much more as to be a deal-breaker. And the actual level of protection seems to be about the same -- mind you, I make these observations after trying both on various computers over a period of three years.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
Just make sure that signature doesn't get added to the AV vendors lists. Much simpler than an out in the open executable. And if you want to build in a rootkit, it's much easier to build in a subtle root exploit (remember that single equals with obscure race conditions that was found in Linux a while back?).
[FUCK BETA]
Yes I heard it has gotten better over years but I still see computer after computer crippled by their bloated software. It wouldn't surprise me if it was a rootkit of some sort which was used in older versions of Systemworks.
I got rid of Norton after I saw such a huge hit I was taking on startup time and hard drive access time. If you check comparatives on anti-virus products you'll find many offer the same or better protection without the performance hit.
Personally I have been very happy with Nod32 by ESET. Its startup is slower on my personal vs. work machine and I had to have it exclude some areas for false positives but overall it has been very efficient.
"They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety" Franklin
I think it's pretty obvious that I meant it messes up the web stats of the websites you're visiting, not of your own websites. Which if you don't own any websites, you probably don't care. But you will care when you realise how slow it's making your Internet connection as it goes off and downloads the first page of every site that linked to from the page you're currently looking at, just in case you click it. That uses a LOT of extra bandwidth and seriously slows down your browsing experience.
And I have a friend that works there that claims that not to be true. He also claims that Santa Claus is the CEO of Symantec
See how easy it is to refute any information from "an anonymous friend of an anonymous friend", and also how easy it is to put ridiculous FUD in at the same time? Why should we believe you anymore than anyone should believe my post?
"But this one goes to 11!"
Exactly how many fucking many processes does Norton need to have running at one time???
/* No Comment */
No, it will be targeted by TROJANS. Any system can be trojaned, only Windows can get a virus.
Free Martian Whores!
Securing a computer is a process completely independent of what operating system the machine is running. Security is not a product, a piece of software, or something you can buy off a shelf. it is an ongoing, never ending strategy. The second you start confusing operating systems and software packages for security you are sunk. The same principles apply to every computer no matter what it is running. Sure the OS can help to predict the probability of security problems, but that has nothing to do with actually securing it.
"But this one goes to 11!"
Symantec Corporation
20330 Stevens Creek Blvd. Cupertino, CA 95014
tel +1 408 517 8000
fax +1 408 253 3968
Make their lines so busy they don't have a choice but to answer us.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I'd be pissed if the feds came knocking because my AV software 'clicked' on a link to kiddie porn, hate-speech, or some other UnRightThinking site.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Hmm, spend my time finding a review site I trust, or several sites which seem to agree (which to me is like the problem of the man with two watches - because they don't agree, he never knows what time it is)
/. collective by reading all the replies to my post.
... which I can confirm with a sample of 2 out of 2 machines being "clear" according to NAV, and infected and cured according to AVG.
OR
Harness the power of the
Granted, that doesn't always work - since not every post attracts a useful cross-section of opinions, but I now know what products I should go look at if I decide that AVG isn't cutting it.
It's definitely a step up from Norton in terms of detection rate
Reason why there is hope for the future generation #364:
"I wish my grass was emo so it could cut itself."
Really? Care to provide some kind of source for this? The only thing resembling a virus that I've seen infect an OS X machine was a macro virus targeting - you guessed it - MS Office. Not OS X.
Deepak: PIFTS means Public Internet and File Tracking System So your grand fathers computer might be vulnerable to intrusions. Deepak: Yes you are correct. we need to check the Norton Settings on the computer and we do have a Virus removal team who can help in detecting that Intrusion manually and help in removing it completely. Deepak: If you wish I can transfer you to them right now and they will tell you how to remove it manually and then we can help in configuring the Norton Program Mr. T H: So it is a virus? Deepak: No it is not a Virus It is an Intrusion. Which tries to hack that computer Deepak: No Sir It is not related to Symantec
That is refering to a free virus removal tool given out for free by Kaspersky. That's not even an active scanning engine.
/. hates it but I find the Enterprise version really good. I'd never run their current home version though.
Personally Kaspersky was one of the best I've ran. But currently I'm running McAfee, *gasp* I know, everyone one on
I'd be pissed also. Why they hell are they tracking where people click? Especially up to the point where you haven't yet bought anything from said site.
You'd only have use a zombie attack once to make that method of law enforcement invalid. New business model for botfarm owners -- hitting "bad" sites to disguise legitimate IPs.
There is a school up here in Saskatchewan, Canada that uses Red Hat on on their machines. A few years ago they got hit by a virus that propagated through the entire network and knocked the whole thing out. Granted, it was probably a virus written for Red Hat specifially, but Linux does have virus's.
It will run just fine under WINE, it just takes a few adjustments in the configuration.
"But this one goes to 11!"
Would you mind sharing the names of these rootkits, as I am thinking about running linux and would love a heads up for reading up purposes.
Groovy. That's a plus. :)
I'll check it out after work. Thanks to both of you. :)
Does it cache these pages it downloads? Because if it does, that would generally speed up my browsing experience. Instead of waiting for me to finish reading the current page and click on something from there, it's already loading it while I read? So every time I follow a link it's already in the cache and comes up instantly? Count me in!
If the masses can keep you down, you're not the Ubermensch.
There is 1 issue with your compairison. And that is we are talking about desktop computers not servers (I would bet there are more Windows desktops in the world than Linux servers). Your average user isn't going to setup a server in their room. The OP is correct the day you have the normal user in Linux the issues will happen because guess what the normal user isn't an admin. They will install things or download things they should not because they don't know any better. I've never had any issues with any of my windows systems but I'm not the average user so I don't download weird stuff and I keep my system up to date.
Anymore baseless FUD you want to spread by conjecturing about things with absolutely no proof, or just this one for now?
"But this one goes to 11!"
By then, people might be running VM's within VM's to avoid this kind of ... stuff.
Or perhaps, there will be 5 different lightweight sandboxes like Plash, with each sandbox scanning for attempts to exploit known vulnerabilities of the other sandboxes (this wouldn't prevent some people from getting owned, but it would expose malware quicker).
Symantec has responded - see this article:
http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html
The adobe flaws are, TTBOMK, cross platform, so it's not exactly "sit there and wait for it".
It's easy to modify ~/.bashrc or ~/.profile, start a perl script that does network access. There's a nice portable bit of malware right there. It can scan local files for e-mail addresses and send those out, change config files so that it's a proxy for web traffic. If there's binary too, it sets up LD_PRELOAD so it's in all new user processes. It doesn't have to be destructive, it can be part of a spam net or a bot net.
Nothing there that requires admin, nothing there that standard *nix security will prevent.
More likely, the virus was written specifically for that school's particular network and that school's particular computers. And like Windows viruses, the virus in question was probably written for a single security hole. However, unlike Windows, (and you all know what I'm about to say)... the security hole was probably due to bad network administration.
I've found Linux to be secure out-of-the-box, barring user incompetence. Dictionary-word root password, with SSH on the default port? Might as well be asking to be hacked.
Explain that to people who have their laptops seized at the border and have been arrested for child porn for images that were in their browser's cache directory. The user may have never even seen those images if their browser decided to 'helpfully' preload linked pages and images for speed, or if a site dymanically loaded the image (web 2.0, I'm talking about you), or if their AV software did it.
Authoritarian measures 'for the children' always stomp on rationality.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Cant you just run an antivirus scan on PIFTS.exe to see if it is in fact a virus? I mean, Norton antivirus is already installed!
Please do tell us more. Was this in the news? Did someone you know work there, or did someone's kid go to school there? I would definitely like to know more about a virus written specifically for RedHat that could take down an entire network, especially when it only happens in Saskatchewan.
Something that requires social engineering (lure of porn in this case) to get the user to run it is something else altogether. And like I said there is no way to protect any platform from the user who chooses to download malware and run it.
Apart from, say, performing on-access scanning for known threats and alerting the user that the file they've just downloaded is in fact malware. Which is precisely what Norton AntiVirus is supposed to do.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I've a little insight relevant to this situation you might like to know before you superglue your tinfoil hats on.
First, let me clearly state that I do not work for Symantec, I have worked for 'security' software for companies that will not be named. (This is my opinion, not theirs.) And no, I have not hacked the programs to identify exactly what that file does.
Root kit? You're dealing with powerful software that wants to be able to interrupt the actions of malware. As such, they tend to run in Ring 0, and hide certain parts of themselves so they can't be easily targeted by malware. The 'invisibility' to the user is just a side effect.
Why keep it secret? Very simply, the malware writers aren't all that talented (most, not all) and can't program their crap to disable what they don't know about. Yes, safety through secrecy. An old idea that is officially shunned by most modern security experts, but still widely used because it works when it's kept secret.
Forum Deletions? Yeah, that may be part of the trying to keep it secret, but somebody really screwed up there. Everybody should know by now that deleting posts will only piss off the users and cause an instant internet sensation, kind of like this, the exact opposite of what they probably wanted. Besides, deleting other peoples valid and non-offensive posts is rude.
Proper response? Kinda hard to second guess, but I would have suggested an honest yet vague answer.
"That file belongs to (software whatever), and I can not discuss it's functionality in this forum. The alert was unintentional and we are currently working to resolve that situation, please keep checking for updates."
No lies, all facts, nothing important given away to malware writers. Something like this would have made this entire event a non-issue, just another bump in evolving software. As to the update being worked on, yeah, that's a given. They are always working on updates, especially when something blows up in their face.
Oh yes, one more small thing. That file may keep disappearing because it may only have a transient existence. Some programs are only removed from archive and dropped on the drive under specific non-continuous situations, after which, they are deleted. One example of this is how some software does it's live updates. So just because the file isn't there when you go looking for it doesn't mean as much as some people seem to think...
...one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself...
How is asking the user to "cancel or allow" taking care of itself? All they have done is let the helpless newborn of XP grow into a continuously wailing baby.
Dancing hamster? Where can I get!?!?
The file appears to be entirely non-malicious, and related to Norton's security product. It's build date of Thursday March 5th, suggests it has only just been created. PIFTS attempts to connect to a webserver (stats.norton.com), passing information such as installed product information, version number, and a series of other non-obvious parameters. Some of this information it extracts from the Windows registry. The file PIFTS.EXE is about 100k in size, so it would take some time to analyse in detail. However, we feel fairly comfortable in debunking the internet rumours claiming that PIFTS might be a rootkit or government-sponsored backdoor to spy on the masses. We think it's more likely that Symantec's programmers simply forgot to properly tag the file as having permissions to perform its functions. Indeed, a private communication from a Symantec employee reassured us that the problem was more likely to be an error by one of their staff than a sinister plot against its users. We understand that an official statement from Symantec will be available soon. Our guess is that PIFTS is some kind of feedback component designed to gather statistics about Symantec's products, or an auto-update component. If we find out any more we'll let you know.
I am using their software, this isn't happening to me, I have no problems with it.
I am not surprised at all either.
But seriously, how can an antivirus software company be fascist? I don't think that word means what you think it means. Norton != a government.
Main Entry: fascism
Pronunciation: \fa-shi-zm also fa-si-\
Function: noun
Etymology: Italian fascismo, from fascio bundle, fasces, group, from Latin fascis bundle & fasces fasces
Date: 1921
1 : a political philosophy, movement, or regime (as that of the Fascisti) that exalts nation and often race above the individual and that stands for a centralized autocratic government headed by a dictatorial leader, severe economic and social regimentation, and forcible suppression of opposition
2: a tendency toward or actual exercise of strong autocratic or dictatorial control
"But this one goes to 11!"
Symantec has a post on their forums here explaining the situation. They claim that it was an erroneously unsigned update that caused the problem, and the erasure of forum posts was due to spamming of the forum.
You aren't supposed to use AVG Free in *any* work environment, even non-profit. Copy and paste from http://free.avg.com/download-avg-anti-virus-free-edition
Licensing details
* AVG Anti-Virus Free Edition is for private, non-commercial, single computer use only. The use of AVG Free within any organization or for commercial purposes is prohibited.
Redundancy is good And also good.
Ok, I gotta go Devil's Advocate on you here. While they're not as prevalent, there certainly *are* quite a number of Windows web servers, also connected to fat pipes. Are they often botnet drones?
I'm thinking that web servers, due to their function and the skill level of the people administering them, are less likely to get infected and infections that do happen are far more obvious (because they'll dramatically change the bandwidth usage stats). So, it may not be particularly telling that Linux webservers aren't prone to botnet viruses.
Don't you wish your girlfriend was a geek like me?
Says that the patch went out unsigned, then 200 user accounts were created in a short span of time spamming the boards about the update.
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
Hah.
And here I always thought that you guys with low UID's actually knew a thing or two about computers.
Yeah, I agree with you. There's really two classes of attacks - social attacks ("click on this e-mail/executable/etc.") and automated attacks (open ports and similar vulnerable services).
For automated attacks, I would say that linux has proven to be much more resilient to attack for a number of reasons.
For social attacks, Windows has a huge share on the user-attackable desktop population. But Windows also makes attacks easier than they should be, with things like hiding extensions, autoplay, and a plethora of badly coded software that requires admin access when it shouldn't.
A lot of that software isn't necessarily bad either, it's just from a time before Windows had any pushback on that sort of thing (ie: Vista's UAC) That's the biggest reason that, given the same policy rules, a linux or mac user will hit a Sudo prompt far more infrequently than a Vista user hits UAC prompts.
I recall a number of php attacks, so yeah, there are attacks against it, especially since a lot of those sites aren't really well adminned.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
>... exploits usually are not particularly portable.
OK, but there has been at least one attempt at planting a portable back-door in the linux kernel: http://kerneltrap.org/node/1584
The good ole USA (and Australia, etc).
you had me at #!
Malware != virus. Worm != virus (your system needs a hole for a worm to get in, but once in it can replicate).
As I said, any OS can be trojaned, but many "viruses" are not viruses in the classical definition of the word.
Note that when they talk of Linux viruses they quote Symantic. Need I say more?
To steal a phrase from one of my professors back in the late 70s, "I've probably forgotten more than you've learned." By the time slashdot came online I'd been dealing with computers for almost two decades.
Free Martian Whores!
I have a friend who worked as a net admin there. I never heard about it on the news cause they worked all weekend to get it back up and running again.
I never asked about much of the details, but what he did tell me is that a virus got into one of the computer (most likely a server, I'm guessing) and spred to every machine. I'm also guessing it was a targetted attack, not a random thing, by one of the students. Wish I could tell ya more but that's all I asked about.
Except for the following:
a) The posts on the Norton forums were being deleted before 4chan got a hold of this,
b) Posts are being deleted on the Norton forums for mentioning the topic.
If it was a hoax, they would have come out with a statement already.
Not a Twitter sockpuppet... but I wish I was.
Damn them, giving me more work to do :(
I read their first sentence on the same page and figured that it meant it was ok for non-profits:
AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use.
Then besides Comodo, is there any free AV with an active scanner?
begin::apathy
/apathy
I'm sick of talking about this... who cares what it is? Potential Possibilities:
A). Malware--Another piece of malware on a windows system... who cares... they deserve it if they use windows (and by that I mean it's only a matter of time until they caught something else anyways)
B). Virus -- a yet unidentified virus etc. Once again, who cares, there are millions of these things out there.
C). Symantec Rootkit -- once again, who cares, people have got to be snorting something if you don't think feds have surveillance code in windows to start with... it's just one more group monitoring us; big deal.
Either way, I'm just tired of reading about it on all the websites I frequent and I'm looking forward to laughing about this later when someone does figure out which of the above it was (the solution to which also does not affect me).
The first post on the issue, made by a member identified as an employee, can be found here:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119&jump=true
It is reproduced below for the lazy:
---
Hi everyone,
Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.
There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:
* O LAWD IM CHOKIN ON PIFTS PLZ HALP
* OH GOD YOU GOT CHOCOLATE IN MY PIFTS
* If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
* IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
* PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
* I LOVE MY PIFTS.EXE
Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.
Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.
Message Edited by davecole on 03-10-2009 12:45 PM
4
Kudos!
----
What I don't understand is that I got the PIFTS.EXE warning from McAfee, not Norton. I originally had an OEM Norton installation on my notebook PC, but immediately removed it, months ago, as our corporate standard is McAfee. But it seems that the removal was far from complete; on closer examination there's still a Norton process and service running, and apparently these triggered an update and the subsequent McAfee alert. So my question is, what is a Norton process doing on my computer, when I ran the default uninstall routine and it terminated normally?
Symantec has (finally) responded with a sticky on the forum from "davecole".
It's a statistical reporting tool that is normally included in patches, however due to an internal screwup, it was not signed. Because it was unsigned, the firewall looked at it quite skeptically.
They also attempt to explain their actions on the forum; from their description, it sounds like a typical Ebaums/YTMND raid. Their admin response was to carpet bomb the forums with bans and deletions indiscriminately. I don't think this is very professional of the admins; it reminds me of how Habbo responded back in the day. When you're the mouthpiece of a company that size, you should know that a overly aggressive response to a raid will do you more PR damage than just letting it go.
Legalize recreational marijuana. Seriously.
n/t
Yah. That would be why I specifically linked to the "Viruses" section.
I can honestly say that I don't doubt that at all.
I was under the impression that if you made the source code available then those creating the distribuitions would maintain the packages
Does this not apply to viruses too?
Ummm, hate to replay to myself, but how is this offtopic? he said he couldn't use Avast because you can't turn off the update messages, I said it IS possible, but I didn't have the link handy. Well here it is, just as I said, and for those that can't bother to click on a link the correct answer is-Right-click the Avast icon in the tray and select Program Settings. Then select Update (Basic) and uncheck the sliding box notifications and select Silent. You can also enter the time in minutes between update checks. I use 1440 (24 hours). So there you go.
ACs don't waste your time replying, your posts are never seen by me.
Or so they tell The Enquirer. Symantec update triggers firewall, many wounded Go fugure. :D
I have a black ban on installing anything from Synamtec (or Mcafee for that matter) on any computer that I own.
I use AVG for anti-virus and my router as a firewall.
Now if only I could find a way to stop windows from ever turning on the windows firewall.
What the fuck are you talking about?
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Tut, tut
This "Norton" thing is a symbiont like the thing that chick in deep space 9 had (i.e. you take it away and it kills you?), but it was also hiding behind the grassy knoll some time near the early 1960's?
and big brother is trying to root our kit so we cant post about the aliens, err weather baloon, we weren't meant to see?
hmmmm.... glad i dont use that "windows" thing...
No, someone only has to compromise one of the thousands (?) of libraries that are compiled verbatim into most versions.
Oh, you've used Linux for over 15 years, eh? What distribution were you using in 1993?
-josh
Avira is faster and better at catching virus.
For "uncleanable" infections, you should try a combination of IceSword and ComboFix.
I won't post anonymously. I am in the security field, and I have no current agreements with anyone which would preclude me from agreeing with the quote above.
In my opinion the quote above is not that far off base. It's not exactly a backdoor though, as federal law enforcement agencies do not need back doors to install ML or any number of other sprojans (spy trojans) on Windows machines. While I will absolutely not get into the specifics of how this dll works, I will say this:
Imagine a big honkin' SGI-O2-blue (the type of blue, not the type of machine) refrigerator in a rack, plugged directly into a core router on a big internet hub (or even a small one) and munching down every single packet it sees and analyzing them for routing and content. That's Carnivore.
Now imagine someone's brain beginning to work and realizing that really the most efficient way to see internet traffic is not to do deep-scans on the service provider side, but to instead do all that data harvesting locally on the physical node in question and sending the results periodically offshore (where all domestic spy material must stop first, by federal law) where they're combed through by any number of security people working for the man.
That second one is not Carnivore. It's a much, much more serious matter.
Interesting. A lot of those strings look like registry keys.
"I am an Adept of Tantric VAX."
I was under the impression that if you made the source code available then those creating the distribuitions would maintain the packages
Does this not apply to viruses too?
No. There are two main reasons for this.
1.) Virus writers hardly ever release their code if they really want to infect lots of machines.
2.) I don't think you'd find many distribution maintainers who will maintain virus packages (due to low demand, cost of bandwidth, and keeping a good reputation).
Probably the first OS X virus in the wild is from 2006:
* http://www.heise.de/newsticker/Virus-fuer-Mac-OS-X-aufgetaucht--/meldung/69677 (german, sorry)
* http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.htm
Then there was some malware released in 2007 and 2008:
* http://blogs.chron.com/techblog/archives/2007/10/mac_os_x_malware_targets_porn_surfers.html
* http://www.tuaw.com/2008/11/21/new-mac-os-x-malware-osx_lamzev-a/
And then there was something early this year where I can't find the link right now.
Assorted stuff I do sometimes: Lemuria.org
I love that the Google Adwords engine though to put an Ad for Symantec on the top of this page :)
"You love to go to the Planet-Arium"
Yeah, I had tried Combofix on this one virus, but it was entrenched into the safe-mode startup for windows as well... very weird. I couldn't get Combofix to let me at it, but it couldn't see the file (cloaking after activated, I imagine)... so I had to use a Linux boot disk to get at the file that way. Got it out finally, but it was a good one.
My story, as I fixed it, is posted here: http://www.spywareinfoforum.com/index.php?showtopic=120095&mode=threaded&pid=659165
Agreed - I found AVG to work well on lesser machines, and it was usually able to detect more than the outgoing virus checker (often McAfee), as it would always find things that shouldn't have been there (not just leftover reg keys either - exes and dlls). Of course, this is not something you can measure, so I can't show you documented proof anywhere about this... which is why I reference detection rate, as it's a metric (though, as I mentioned, it should be taken with a grain of salt.)
So, what better "review" can you point me to? Or, where is this review that says AVG is "the worst" Mr. OP?
The first rule of the Norton forums is that you don't talk about the PIFTS program.
Awesome, I've been looking for that feature and just hadn't come across it. Thanks.
Try not to take me more seriously than I take myself.
Just to switch entirely to Linux or OS X?
you had me at #!
Hello everyone,
I'm one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn't happen again.
We launched the beta of the Norton Community Forums in April 2008. We've been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.
We've spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We've also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123
Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or "cover up").
We welcome you to join in on the discussion if you have any concerns that need to be addressed.
Again, we're sorry for the mishap and all the confusion that this has caused.
Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com/