Slashdot Mirror

← Back to Stories (view on slashdot.org)

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

Posted by timothy on from the and-nobody-saw-me dept.

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

83 of 685 comments (clear)

  1. Rootkit? by KingSkippus · · Score: 5, Interesting

    The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.

    An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?

    Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.

    1. Re:Rootkit? by fuzzyfuzzyfungus · · Score: 4, Funny

      Didn't you know? In order to reduce the cost of Norton subscriptions, every Norton install now runs a clandestine side business in gun-running and coke smuggling...

    2. Re:Rootkit? by Ethanol-fueled · · Score: 5, Funny

      *PIFTS*

      No, that's not the file. That's the noise I make in disgust everytime somebody tells me to install Norton.

      I'd rather download WINDOWSANTIVIRUS.jpg.exe from bittorrent. At least that will shut up every now and then after I pay the extortion fee.

    3. Re:Rootkit? by hAckz0r · · Score: 5, Insightful

      If it is a rootkit, having it evade a well know commercial virus scanner would be no real surprise. Most are still using signatures for finding sequences of *known* code, and a rootkit can pretty much lie and tell the virus scanner anything it wants as far as any bits of memory on the computer, code or data. Signatures are a failure, and any virus scanner that doesn't give that up and move on to a heuristic approach is doomed to failure too. Covering up the fact that you don't know what bits of code to look for is about all they can do right now. In a couple days they might get a copy of it, run it through IDA Pro, generate a signature, and finally push it out to all the infected PS's on the Internet. Its really a sad paradigm. The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS. Or in having system failures that can't even be patched or changed due to draconian measures internal to the OS. There is a middle ground but so far no one is going there. This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.

    4. Re:Rootkit? by Henk+Poley · · Score: 5, Informative

      Somebody traced the execution, and linked it here:

      http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5

      Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.

    5. Re:Rootkit? by m0i · · Score: 4, Informative

      Norton discussion boards appear very slow.

      You mean disabled after seeing that moderators can't keep up with the posts about PIFTS?

      --
      have you been defaced today?
    6. Re:Rootkit? by Anonymous Coward · · Score: 5, Funny

      FROST PIFTS!

    7. Re:Rootkit? by JWSmythe · · Score: 3, Insightful

          Oh, that would be hilarious ... if it wasn't true.

          People never quite understand that the government has the most to gain by making things illegal. Not only do they get fines and other penalties from those who are in that industry, but it allows them to keep the market value overinflated and they can squeeze out any other big players by simply leaking information on them to local law enforcement or other federal agencies.

          There's nothing like having a C130 loaded with guns or drugs (or both), and simply saying "You don't see this plane. It was never here." You only hear about the ones where the planes have crashed inconveniently in the wrong place, and the site wasn't able to be isolated before the news leaked.

          Really, it does give some control, and an acceptable covert budget. Things are going to be smuggled in anyways, why can't the gov't make a profit on it? :)

          Excuse me. There's a black van outside, and some nice man knocking on my door.

          Hello?

          [thud]

      --
      Serious? Seriousness is well above my pay grade.
    8. Re:Rootkit? by Beardo+the+Bearded · · Score: 3, Informative

      That's a good idea. Although this coding horror post is about a year old, it's a note on how much anti-virus software slows down your machine. Norton leads the pack with an amazing 46% slower boot, 20% slower CPU, and 2400% slower disk access time.

      Coding Horror: Choosing Anti-Anti-Virus software

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    9. Re:Rootkit? by mcgrew · · Score: 3, Insightful

      Have we learned nothing from Sony's stupidity?

      They never went bankrupt or even suffered a financial loss. Nobody got fired for it, nobody went to jail for it, so I'd say they did learn from XCP.

      They learned that placing rootkits on ordinary peoples' computers has no consequences whatever. Why not do it, particularly if you lack ethics or morals?

      --
      Free Martian Whores!
    10. Re:Rootkit? by HermMunster · · Score: 5, Insightful

      Peter Norton came from the mainframe world and created useful utilities for the end user of PCs and compatibles. He was a solid programmer and created a solid company. Symantec purchased him and his competition. We no longer have utilities designed by these companies.

      Instead we have a company using his name. That's it. There really is no Norton any more. It's barely even a brand.

      I tell people that when comparing the free antivirus utilities vs. the paid take the free, as long as they are of reputable means. The reason is that the antivirus side of things is pretty straight forward. Free does a very good job these days, and no matter how you look at it you always need a compliment of utilities anyway (e.g., Spybot S&D 1.6.2, Ad-Aware 2008 (the latest version is unstable), Windows Defender, and AV such as AVG 8).

      The paid commercial product has to compete with these free competent products (and I should know I use them to clean computers every day). When the paid commercial products are released they full of bloat and attempt to integrate themselves do deeply into the OS, so much so that they become the cure worse than the disease.

      Not only that the commercial products have tended over time to make customers paranoid. They need to to keep them purchasing their products. A realistic schedule for scanning, once you know your system is clean, along with continued updates for the OS, is all you need--you can be certain you don't need a paranoid schedule such as every day, every week or even every two weeks.

      The flip side is that if you get so relaxed about your security you won't do it at all.

      Stay away from Norton and McAfee. They are bulky, they are paranoid about their own customers constantly requiring verification of subscription just to get updates (McAfee anyone?).

      Stay away from the gimmick. Do you need that toolbar? The 3rd or 4th one in your IE, or even FF? If you don't understand what the toolbars are doing you shouldn't be installing them. What are they doing? They want you to log in, just like Google and Yahoo. They want to track you and your web pages for targeted ads. I'm not saying that Google and Yahoo are gimmick software used to bait you to install malware, but I am saying that there are plenty of them that do and they are taking their directions from the likes of Google and Yahoo. The more toolbars you have the more search engine choices you install. Choose one and stick to it. Stay away from anything that's a gimmick because it is bound to get you in trouble. Windows itself never pops up a dialog box saying to buy this or that software product. Those are fake. Downloading codecs from an innocent site can also get you in trouble and you should set your system to ensure that you don't automatically download codecs.

      The bottom line is that commercial software is bloated and creates paranoia, and for good reason--they die as a company if you don't resubscribe. The free products do just as good a job as the commercial. And you can't get away with just one product to defend your system anyway. It takes a compliment of them. Stay away from the gimmick. Uninstall your extraneous toolbars (or all of them for that matter). Your web browser is to browse pages not to be served ads or to be tracked by a product that you don't know is tracking you.

      --
      You can lead a man with reason but you can't make him think.
  2. Don't worry. by internerdj · · Score: 5, Funny

    We are here to protect you. You can trust us.

    1. Re:Don't worry. by datapharmer · · Score: 4, Funny

      Do not trust him. He is malfunctioning. I am the Shover robot, I am here to protect you from the terrible secret of Symantec.

      --
      Get a web developer
    2. Re:Don't worry. by PriceIke · · Score: 4, Funny

      Please go stand by the stairs so we can protect you.

      --
      It's not a lie. It's the truth with lossy compression.
  3. Probably just some anonymous report sender by Vandil+X · · Score: 4, Interesting

    It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.

    Many default with the "Do not ask again" option checked, so once you click through...

    (* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
    1. Re:Probably just some anonymous report sender by krunk7 · · Score: 3, Insightful

      If you don't trust them enough to show you everything they're sending back, then I'm left wondering why you'd trust them enough to install their software.

  4. use a better os by yossarianuk · · Score: 3, Insightful

    you could always use a system where you dont need norton.

    1. Re:use a better os by SatanicPuppy · · Score: 5, Insightful

      You should run a virus scanner, just to keep from accidentally forwarding viral crap to other people. Infected files and attachments, etc. And assuming you're safe is equally foolish. I run plenty of security software on my linux boxes.

      Norton, however, is a turd. Anyone who runs Norton gets what they deserve. It's like a parasite that eats cycles for no reason, and cannot be removed without killing the host.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  5. More conspiracy theories by Anonymous Coward · · Score: 5, Funny

    Let's begin the conspiracy theories:

    • Unlikely: They accidentally included a virus in an update. Maybe a virus that got out of control in their labs. Maybe a virus that some 1337z h4x0rz snuck into their system. But as I said, unlikely.
    • Unlikelier still: This program is a legitimate part of their product, but by mistake they included its signature in their database, or a signature of something else that has a hash collision with this program's hash.
    • Extremely unlikely: This is a top secret government program used to figure out who is NOT a national security threat, in order to expend trillions in government resources in doing all sorts of clandestine operations to collect terabytes of data on each of those individuals (again, the ones who have been determined as NON-threats). The ones who have been determined as threats will be placed into an "ignore" database, as collecting any information on those individuals might offend them and is therefore undesirable.
  6. Any publicity is good publicity by CopaceticOpus · · Score: 5, Funny

    Ping Internet For Time on Slashdot?

  7. not to worry by Anonymous Coward · · Score: 5, Funny

    Don't worry about it. It's just the Privacy Invader From Team Symantec.

  8. lulz by kunwon1 · · Score: 4, Interesting

    I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.

    --
    Specialization is for insects. -Heinlein
  9. Auto-update sent out a virus? by ukyoCE · · Score: 5, Interesting

    Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.

    The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.

    Perhaps Norton thought they could send out a patch to clean it up before anyone found out?

  10. PIFTS Obvious what it is by oztiks · · Score: 4, Funny

    P = Purposely
    I = Introduced
    F = File
    T = Thieving
    S = System

  11. Re:law enforcement back door by harmonise · · Score: 5, Insightful

    this is a backdoor that Symantec was forced to put in, similar to CIPAV. It is to be used by law enforcement and they are under court order not to reveal its existence. rootkit revealer will show you the entire directory.

    That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.

    --
    Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
  12. They used to get it. by rashanon · · Score: 5, Informative

    A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.

  13. Re:law enforcement back door by krou · · Score: 3, Funny

    If that's true, Symantec must be dumber than I thought if they provided a backdoor to a firewall that allows said firewall to warn the user.

    --
    'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
  14. Do ** NOT ** search Google for pifts.exe !! by AftanGustur · · Score: 5, Informative
    Two top Google results are to sites which will try to infect your PC with malware.

    The first one links to a blank page which will redirect in about 20 seconds to a malware site.

    The second one is immediately flagged by Firefox as being a "Reported attack site".

    This slashdot article is possibly a attack on the /. community.

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  15. Good riddance Norton by Toreo+asesino · · Score: 4, Interesting

    Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)

    Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.

    Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
    Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.

    My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.

    --
    throw new NoSignatureException();
  16. Zone Alarm boards info by D3 · · Score: 5, Informative

    http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903

    --
    Do really dense people warp space more than others?
  17. They would not answer my (a customer) question. by odeean · · Score: 5, Interesting

    I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.

  18. pifts is "invalid content" on the forums by Anonymous Coward · · Score: 3, Interesting

    Tried to register at their forums with login 'pifts and got this:

    "That login contains invalid content. Please choose a different login that does not contain 'pifts'."

    Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...

  19. Re:law enforcement back door by Iphtashu+Fitz · · Score: 5, Insightful

    I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.

    Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?

    CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)

  20. Re:law enforcement back door by eth1 · · Score: 4, Interesting

    Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.

  21. Re:law enforcement back door by ukyoCE · · Score: 3, Funny

    Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)

  22. Re:pot! kettle! black! by timothy · · Score: 4, Funny

    What sort of response are you talking about?

    timothy

    --
    jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
  23. Re:Any idea what it is? by SatanicPuppy · · Score: 4, Insightful

    I can think of a dozen unix/linux rootkits without even trying. Just because it's harder to install them, doesn't mean it's impossible. If you think you don't need to run any sort of security software (not Norton, of course, because they suck), then one day you're going to have a very very rude awakening.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  24. Re:Any idea what it is? by trold · · Score: 5, Insightful

    The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.

    So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.

  25. Re:PIFTS.asm (sorry for the bad formatting) by MortenMW · · Score: 4, Interesting

    I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
    34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
    34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
    --
    34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
    34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
    --
    34373: SWC00413EC8_systemState:
    34374: unicode 'systemState',0000h
    34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
    34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
    --
    34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
    34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)

  26. Re:Do ** NOT ** search Google for pifts.exe !! by drsmack1 · · Score: 5, Informative

    Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/

    --

    Humor from a Genetically Molested Mind

  27. PIFTS.asm download by MortenMW · · Score: 4, Informative

    PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm

  28. Strings in PIFTS.exe by Elphin · · Score: 5, Interesting

    Here's a dump of strings found in the pifts.exe on pastebin:

    http://pastebin.com/m1e207a78

    Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?

    1. Re:Strings in PIFTS.exe by vadim_t · · Score: 5, Informative

      Some interesting things in there:

      Software\Symantec\InstalledApps
      \PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}
      Norton Internet Security
      SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
      SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine

      This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.

      http://stats.norton.com/n/p?module=2667

      Interesting, it reports stats to Norton somewhere, perhaps?

      &product=%s&version=%s
      &e=%d.%d.%d.%d
      &e=-1
      &f=%d.%d.%d.%d
      &f=-1
      &g=%d
      &g=-1
      &h=%d
      &h=-1
      &i=1
      &i=0
      &j=%s

      This seems to pretty clearly point to that an URL for a GET request is created for some purpose.

      PifEng.dll

      So there's a .DLL too, did anybody post that one?

      %s %d-%d-%d %dh%dm%ds.log

      There may be a .log file somewhere, named with a timestamp

      The ping url is %s

      Something that might appear in the log file, perhaps? What is it pinging, and why?

      d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb

      Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.

    2. Re:Strings in PIFTS.exe by vadim_t · · Score: 5, Informative

      Replying to myself,

      On reddit there's a link to a decompiled version.

      It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.

      So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.

    3. Re:Strings in PIFTS.exe by Excors · · Score: 4, Informative

      The PADDINGXXPADDING is just a standard artifact of the Visual C++ build process - there's a manifest XML string that's added to the .exe (for 'side-by-side' DLL dependency handling), and padding is added for some internal alignment requirements. (This article says the UpdateResource API is what adds that string). So it's nothing unusual or suspicious.

  29. An effort underway by Zexarious · · Score: 5, Interesting

    There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).

    1. Re:An effort underway by krelian · · Score: 5, Funny

      Thanks for effort. I just hope you will have the time to do it while still following the other piece of news you have posted on your blog regarding the immediate annexation of Mexico by the U.S...

    2. Re:An effort underway by Incitatus · · Score: 5, Funny

      There is an effort underway here http://chrysler5thavenue.blogspot.com/

      The previous blog entry on this site is that the US is annexing Mexico. Looks like a reliable source to me.

  30. Weekend???? by Anonymous Coward · · Score: 5, Funny

    Wow, you managed to uninstall Norton A/V in less than 48 hours????

    1. Re:Weekend???? by SnarfQuest · · Score: 3, Informative

      After you did the Add/Remove Programs, how did you get rid of Norton Antivirus programs?

      If you believe that this actually removed them, then you are very, very wrong.

      --
      Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
  31. Re:Any idea what it is? by pz · · Score: 5, Insightful

    It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.

    I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.

    That said, I'm tired of this dribble. Unix (in the industrial versions) had / has nearly no viruses or malware because there were very few people using it in total numbers. There was and continues to be little to be gained by writing a virus for these systems: no press coverage, no botnet of millions of computers. It doesn't pay. It isn't worth the effort. Same for Linux: the market is still too small. Same used to be true for MacOS, but that's starting to change as it increases in popularity.

    Contrast this with Windows boxes that are so ubiquitous that a half-talented virus writer has a decent chance of getting their malware into hardened sites like the Pentagon through social vectors (eg, an absent-minded worker who uses a USB key on both home and work computers by mistake).

    Linux has no viruses because the market is too small. To think that it is immune to attack from malware is naive at best, and, more probably, self-deceptive. If Linux starts to enjoy 10, 20 or 30 percent market share, we will see Linux-targeted malware become a common nuisance. We already see Firefox-specific browser exploits (but for Windows boxes). FOSS isn't somehow magically immune from nuisance teenage activity or out-and-out criminal intent.

    So, please, enough of the holier-than-thou attitude.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  32. PIFTS by meist3r · · Score: 4, Funny

    Perfectly Innocent Firewall Testing System

  33. Windows Users Beware... by capnkr · · Score: 5, Interesting

    As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.

    Did /. just get social engineered?

    (Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)

    --
    "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
    1. Re:Windows Users Beware... by commodore64_love · · Score: 3, Informative

      P.S.

      I should mention I was banned from the forum a few minutes ago - hence my anti-Norton Forum bias.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    2. Re:Windows Users Beware... by Crumplecorn · · Score: 5, Insightful

      Posting on Norton's forums is a fundamental human right?

    3. Re:Windows Users Beware... by capnkr · · Score: 5, Interesting

      That does seem to be the case.

      Maybe not just Slashdot, but the whole intertubes is getting socially engineered... ;)

      1) Crack the NAV update process, inject a timed release 'pifts.exe'.
      2) At the appointed time, firewall alerts get users to start massive concurrent searches on 'pifts.exe', and while Norton tries to figure out WTF is going on, they make the deadly mistake of censoring their forums to disguise their bafflement, which creates huge internets buzz on various security and tech related sites like here and Digg and ZA.
      3) Have your malware sites primed and ready to go, optimized for the expected Google results, creating a nice giant influx of "new users" for your botnets.
      4) Profit!!!

      Okay, just joking... Possible, but highly unlikely. It will be interesting to see what this story turns out to be all about. :)

      --
      "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
    4. Re:Windows Users Beware... by PIBM · · Score: 3, Insightful

      Well now if it's not what they did, they are certainly planning the next one!

    5. Re:Windows Users Beware... by agrounds · · Score: 5, Funny

      Strawman? False Dichotomy? Slippery Slope?

      Man... where do I even begin to explain how bizarre this leap of logic is? Not even Evel Knievel could make this jump.

    6. Re:Windows Users Beware... by Anonymous Coward · · Score: 5, Insightful

      Posting on Norton's forums is a fundamental human right?

      Welcome to Slashdot - you must be new here. Let me fill you in on how things work hereabouts.

      1. Free Speech applies to everything, all of the time, and you don't have to take responsibility for either your words or your actions, unless you are "Teh Man".

      2. The higher your UID, the more likely that you believe in 1. with religious fanaticism.

      3. Spelling and grammar don't count, no matter how poor.

      4. Neither do organization or coherence: You don't have to make sense, you just have to include enough buzzwords and generalities to sound good.

      5. Google is good.

      6. Apple is better.

      7. Information wants to be free as in beer, and you're entitled to everything for free.

      8. Copyright is an obsolete concept, unless you're referring to the GPL.

      9. Microsoft is always evil.

      10.Novell sold out.

      There you go! That's about all you need to know to fit in here. So, turn off your brain, spout a few platitudes, and bask in the warmth of the resulting karma.

    7. Re:Windows Users Beware... by Qzukk · · Score: 4, Interesting

      "Censorship" is done by governments

      Censorship is done by people who censor, and has nothing to do with government at all. The only connection it has to government is the prevailing belief that it's "bad" when government does it and "ok" when anyone else does it.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    8. Re:Windows Users Beware... by GMFTatsujin · · Score: 4, Insightful

      In defense of a rational understanding of human rights abuses:

      Norton isn't not keeping you from critiquing them anywhere else. Not on Slashdot, not on your own webpage, not out in the street, not via pamphlets or street marches, not anywhere else, not at all. Norton isn't beating down Slashdot to revoke your UID and retroactively delete every comment you've made. Norton isn't erasing your existence, making an example out of you, disappearing you, or destroying your life over this.

      Norton DOES NOT HAVE THE POWER TO CENSOR, and you're a fool if you follow Commodore64_Love by equating Norton with China, North Korea, or any of the numerous and viable human rights watch hotspots on the planet. Norton doesn't come anywhere near the kind of awful, degrading, threatening, chilling power that a genuine censoring government can wield in the night.

      Norton simply refuses to propagate other people's speech that coincidentally sabotages their business. Since they provide that opportunity on their servers, they have the right to oversee speech on the site they pay for and manage.

      Norton is not even spitting distance from looking at the closest edge of the slippery slope on the horizon. Norton is exercising its right over the property it actually owns: the bits n' bytes that live on the hard drives on their servers. Nobody else's.

      Lord know I don't respect Norton, but they're not setting the world ablaze with their fascist thugs. They're just being jerks toward their customers, and that is -- rightly -- not a crime. When they start kicking down doors, then I'll worry.

    9. Re:Windows Users Beware... by Qzukk · · Score: 3, Insightful

      If I go onto a Disney children's forum and post nothing but swear words, and Disney deletes it, is that censorship too?

      It's their right to do so, but this does not make it "not censorship", whether they remove the post entirely, *** over the swear words, or replace them with gumdrops and candy canes.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    10. Re:Windows Users Beware... by daenris · · Score: 5, Informative

      Original submitter of the article here (wasn't logged in last night). Clever maybe, but not the case. I got the popup from Norton last night asking me to allow or block this executable's internet connection attempt. It was around 10 o'clock I believe. The inital few threads on Norton's forum were completely legitimate and no one was throwing around conspiracy and virus accusations. The problem started when Norton mods started deleting the threads, and blocking the people who posted them from creating more. About 1:30 I went to bed, having found nothing concrete. At that time there were a number of posts around the net, most notably the Zone Alarm forum (since Norton was deleting things). At that point the Norton boards weren't being raided by 4chan at all -- that happened sometime overnight/this morning.

      The file is real -- I can send you a copy if you'd like -- and appears to be part of some Norton update. Really the only problem here, and what triggered everything was that Norton was trying to delete any mention of it from their forums. As many others have pointed out, this leads me to believe that either the file is something Norton doesn't want in the open because they're tracking/doing something they don't want us to know about (tracking personal info, rootkit, whatever) or that somehow the Norton update was compromised and sent out a file that they're desperately trying to cover up/fix.

      I haven't disassembled the file, but I was looking at it in a hex editor last night when I noticed all the ascii "PADDINGXX" at the end of the file, which strikes me as odd and doesn't seem to have a readily available reason to be in a legitimate file. There's no more code after the PADDINGXX sections, so it seems to be there only to ensure that the executable is a specific size.

    11. Re:Windows Users Beware... by TimothyDavis · · Score: 5, Funny

      Not even Evel Knievel could make this jump.

      Is that because he is dead? Or because the gap is too far?

    12. Re:Windows Users Beware... by daenris · · Score: 3, Informative

      Though, another commenter pointed out that the PADDINGXX thing is a legitimate side effect of some Visual Studio compilation. Haven't gotten a chance to check on that, but if that's the case then I'm definitely just leaning on the "legitimate file that for some reason Symantec didn't want us to ask about" train.

    13. Re:Windows Users Beware... by daenris · · Score: 5, Interesting

      And after a quick check, it is indeed a side effect of some compilation, so nothing about the file really appears virusy anymore. The only suspicious points remaining are why the Norton mods were so eager to remove mention of it from their forums last night.

    14. Re:Windows Users Beware... by cayenne8 · · Score: 5, Funny
      11. ...

      12. Profit???

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    15. Re:Windows Users Beware... by DM9290 · · Score: 4, Insightful

      There's a difference between censorship on a private message board operated by a private company, and censorship by a state with authority over its citizens. But that seems to be a really hard concept for the average internet user to grasp.

      Corporations are legal entities which only exist because the state creates the framework which allows them to exist. They are not human beings (created by God etc) with an independent existence.

      There is a difference between censorship practiced by a private individual who has an inherent natural ability to control things in his possession and is also liable without limit for any harm he may cause to others and a corporation which has no ability or power to do anything whatsoever except what the State gives to it, and limited liability towards the owners.

      It is an act of congress which allows corporations to exist. That act should not result in a violation of the bill of rights. And if it does, it certainly can not be justified merely by saying it is the consequence of the act of congress and not congress itself which violates the bill of rights. That would be like saying "I didn't kill you, it was the bullet that flew out of my gun that killed you".

      I would argue that when a corporation of people attempt to violate the human rights enumerated in the constitution of the United States, the US government has a constitutional obligation to revoke its legal protections of that body of people. In effect the limited liability corporation would revert to a partnership with full liability to all its owners (shareholders).

      I would argue that any corporation of private individuals that goes to the People of the Unites States (the government) seeking limited liability for its members (shareholders) is also promising to uphold the Constitution of the United States.

      --
      No one has a right to their *own* opinion. They have a right to the TRUTH.
    16. Re:Windows Users Beware... by Fozzyuw · · Score: 4, Insightful

      And if it is a businesses right to delete comments they want deleted, as they stated in the terms that all posters agree to, it isn't censorship either. If I go onto a Disney children's forum and post nothing but swear words, and Disney deletes it, is that censorship too?

      Yes, it's censorship. Please regard the dicntionary:

      To Censor :: to examine in order to suppress or delete anything considered objectionable [censor the news] ; also : to suppress or delete as objectionable [censor out indecent passages]

      It has nothing to do with morals or laws. It's a term with a definition. Societies determine if it's a "good" or a "bad" thing based on the situation.

      --
      "The past was erased, the erasure was forgotten, the lie became truth." ~1984 George Orwell
    17. Re:Windows Users Beware... by daenris · · Score: 5, Informative
      And the Washington Post has updated to include comments from Symantec

      Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

      "We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

      As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

      "We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

      In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.

      Of course, the problem with that justification for deletion being that 4chan spamming didn't start until sometime overnight or this morning. Hours earlier several completely legitimate question threads had been deleted with no explanation.

    18. Re:Windows Users Beware... by getagrip · · Score: 3, Informative

      Link to symantec forum post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39119&query.id=294747#M39119

    19. Re:Windows Users Beware... by commodore64_love · · Score: 3, Insightful

      >>>the corporation should inherit (where applicable) the rights of its founders

      And the workers are treated like cattle - "human resources". Sorry but I don't consider a corporation anything other than a non-free state, and when you enter that "state" you lose several of your rights - like freedom to speak, or freedom to drink beer on weekends (else you get fired when the boss sees the photo on your facebook page), or .....

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    20. Re:Windows Users Beware... by capnkr · · Score: 3, Interesting

      Reading the various forums and comments, I also noticed that there were/are several people who have checked their logs and seen that the 'pifts.exe' file was uploaded to their system several days prior to the "3 hour window" in which the patch was distributed/activated last night (this info is according to the Symantec spokesperson official statements I have seen so far).

      It is obvious that Symantec really fumbled the ball, PR-wise. Yet even as they have picked it back up, their statements on what happened do not seem cohesive with the experiences of people that I've read in many different places. I still feel "It will be interesting to see what this story turns out to be all about.", because I don't think that the full truth about this has come out. Too many inconsistencies...

      --
      "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
  34. Re:Rootkit? Nice timing by fruey · · Score: 3, Informative

    I've read a lot of reviews (Gizmo freeware, for example) : http://www.techsupportalert.com/best-free-anti-virus-software.htm which don't support this view.

    Kaspersky seems to not have won out too well recently too.

    Can you post a link to back up your argument?

    --
    Conversion Rate Optimisation French / English consultant
  35. ThreatExpert report by FreelanceWizard · · Score: 3, Informative

    I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810

    It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.

    --
    The Freelance Wizard
  36. Nothing dangerous... by Manip · · Score: 5, Informative

    I have a copy of PIFTS.exe now and am examining it.

    Notes:
    1) It is small
    2) Internally it is a "patch tool" from patch "021809db"
    3) The Operating System function calls it makes are generally non-threatening
    4) It accesses the registry (Norton products) and does some kind of date based validation

    My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.

    It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.

  37. Re:Any idea what it is? by Anonymous Coward · · Score: 5, Insightful

    > Linux has no viruses because the market is too small

    Well, even assuming this is the only reason (a bit questionable due to the situation with web servers), exploits usually are not particularly portable. And since each distribution compiles their own version, Linux reaching 50% market share actually might _not_ be enough, but what you would need might actually be a _single version_ of a _single distribution_ reaching 50%, which is far less likely.

  38. Crash explorer and become System to view that file by Gazzonyx · · Score: 3, Informative

    Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  39. Happened before, apparently by coldsalmon · · Score: 3, Informative

    Symantec Caught in Norton Rootkit Flap

    "Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."

    http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/

  40. Don't we all run Linux? by Nicolas+MONNET · · Score: 4, Funny

    / yet another smug, uninfected Linux user.

  41. And this is what RMS keeps talking about by vadim_t · · Score: 3, Insightful

    When you use proprietary software, you don't really know what's happening on your system.

    If somebody happened to notice a suspicious process on a Linux box, it'd have been the question of 15 minutes to figure out what package the file belongs to, get the source, take a look at it, and find out what it does and why is it there.

    Instead what we have here a mess with some people coming up with conspiracy theories, Norton refusing to acknowledge the issue, and people trying to figure out what this thing does by looking at the output of strings without much success so far.

    Things are much easier when source is available.

  42. The News Within The Non-News by Crash+Culligan · · Score: 4, Interesting

    When I first saw this here, the first place I looked for additional information was the Internet Storm Center, where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.

    Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:

    In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...

    While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.

    Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.

    --
    You cannot truly appreciate Dilbert until you read it in the original Klingon.
  43. Re:Any idea what it is? by mario_grgic · · Score: 3, Informative

    No, and that is exactly what I'm saying. That is not a virus (something that propagates itself without user intervention).

    Something that requires social engineering (lure of porn in this case) to get the user to run it is something else altogether. And like I said there is no way to protect any platform from the user who chooses to download malware and run it.

    --
    As the island of our knowledge grows, so does the shore of our ignorance.