Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

← Back to Stories (view on slashdot.org)

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

Posted by timothy on Tuesday March 10, 2009 @01:41AM from the and-nobody-saw-me dept.

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

40 of 685 comments (clear)

Rootkit? by KingSkippus · 2009-03-10 01:42 · Score: 5, Interesting

The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
1. Re:Rootkit? by Ethanol-fueled · 2009-03-10 02:08 · Score: 5, Funny
  
  *PIFTS*
  
  No, that's not the file. That's the noise I make in disgust everytime somebody tells me to install Norton.
  
  I'd rather download WINDOWSANTIVIRUS.jpg.exe from bittorrent. At least that will shut up every now and then after I pay the extortion fee.
2. Re:Rootkit? by hAckz0r · 2009-03-10 02:09 · Score: 5, Insightful
  
  If it is a rootkit, having it evade a well know commercial virus scanner would be no real surprise. Most are still using signatures for finding sequences of *known* code, and a rootkit can pretty much lie and tell the virus scanner anything it wants as far as any bits of memory on the computer, code or data. Signatures are a failure, and any virus scanner that doesn't give that up and move on to a heuristic approach is doomed to failure too. Covering up the fact that you don't know what bits of code to look for is about all they can do right now. In a couple days they might get a copy of it, run it through IDA Pro, generate a signature, and finally push it out to all the infected PS's on the Internet. Its really a sad paradigm. The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS. Or in having system failures that can't even be patched or changed due to draconian measures internal to the OS. There is a middle ground but so far no one is going there. This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.
3. Re:Rootkit? by Henk+Poley · 2009-03-10 02:26 · Score: 5, Informative
  
  Somebody traced the execution, and linked it here:
  http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5
  Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.
4. Re:Rootkit? by Anonymous Coward · 2009-03-10 03:14 · Score: 5, Funny
  
  FROST PIFTS!
5. Re:Rootkit? by HermMunster · 2009-03-10 05:06 · Score: 5, Insightful
  
  Peter Norton came from the mainframe world and created useful utilities for the end user of PCs and compatibles. He was a solid programmer and created a solid company. Symantec purchased him and his competition. We no longer have utilities designed by these companies.
  Instead we have a company using his name. That's it. There really is no Norton any more. It's barely even a brand.
  I tell people that when comparing the free antivirus utilities vs. the paid take the free, as long as they are of reputable means. The reason is that the antivirus side of things is pretty straight forward. Free does a very good job these days, and no matter how you look at it you always need a compliment of utilities anyway (e.g., Spybot S&D 1.6.2, Ad-Aware 2008 (the latest version is unstable), Windows Defender, and AV such as AVG 8).
  The paid commercial product has to compete with these free competent products (and I should know I use them to clean computers every day). When the paid commercial products are released they full of bloat and attempt to integrate themselves do deeply into the OS, so much so that they become the cure worse than the disease.
  Not only that the commercial products have tended over time to make customers paranoid. They need to to keep them purchasing their products. A realistic schedule for scanning, once you know your system is clean, along with continued updates for the OS, is all you need--you can be certain you don't need a paranoid schedule such as every day, every week or even every two weeks.
  The flip side is that if you get so relaxed about your security you won't do it at all.
  Stay away from Norton and McAfee. They are bulky, they are paranoid about their own customers constantly requiring verification of subscription just to get updates (McAfee anyone?).
  Stay away from the gimmick. Do you need that toolbar? The 3rd or 4th one in your IE, or even FF? If you don't understand what the toolbars are doing you shouldn't be installing them. What are they doing? They want you to log in, just like Google and Yahoo. They want to track you and your web pages for targeted ads. I'm not saying that Google and Yahoo are gimmick software used to bait you to install malware, but I am saying that there are plenty of them that do and they are taking their directions from the likes of Google and Yahoo. The more toolbars you have the more search engine choices you install. Choose one and stick to it. Stay away from anything that's a gimmick because it is bound to get you in trouble. Windows itself never pops up a dialog box saying to buy this or that software product. Those are fake. Downloading codecs from an innocent site can also get you in trouble and you should set your system to ensure that you don't automatically download codecs.
  The bottom line is that commercial software is bloated and creates paranoia, and for good reason--they die as a company if you don't resubscribe. The free products do just as good a job as the commercial. And you can't get away with just one product to defend your system anyway. It takes a compliment of them. Stay away from the gimmick. Uninstall your extraneous toolbars (or all of them for that matter). Your web browser is to browse pages not to be served ads or to be tracked by a product that you don't know is tracking you.
  
  --
  You can lead a man with reason but you can't make him think.
Don't worry. by internerdj · 2009-03-10 01:45 · Score: 5, Funny

We are here to protect you. You can trust us.
More conspiracy theories by Anonymous Coward · 2009-03-10 01:50 · Score: 5, Funny
Let's begin the conspiracy theories:
- Unlikely: They accidentally included a virus in an update. Maybe a virus that got out of control in their labs. Maybe a virus that some 1337z h4x0rz snuck into their system. But as I said, unlikely.
- Unlikelier still: This program is a legitimate part of their product, but by mistake they included its signature in their database, or a signature of something else that has a hash collision with this program's hash.
- Extremely unlikely: This is a top secret government program used to figure out who is NOT a national security threat, in order to expend trillions in government resources in doing all sorts of clandestine operations to collect terabytes of data on each of those individuals (again, the ones who have been determined as NON-threats). The ones who have been determined as threats will be placed into an "ignore" database, as collecting any information on those individuals might offend them and is therefore undesirable.
Any publicity is good publicity by CopaceticOpus · 2009-03-10 01:51 · Score: 5, Funny

Ping Internet For Time on Slashdot?
not to worry by Anonymous Coward · 2009-03-10 01:51 · Score: 5, Funny

Don't worry about it. It's just the Privacy Invader From Team Symantec.
Auto-update sent out a virus? by ukyoCE · 2009-03-10 01:55 · Score: 5, Interesting

Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
Re:law enforcement back door by harmonise · 2009-03-10 02:03 · Score: 5, Insightful

this is a backdoor that Symantec was forced to put in, similar to CIPAV. It is to be used by law enforcement and they are under court order not to reveal its existence. rootkit revealer will show you the entire directory.
That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.

--
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
They used to get it. by rashanon · 2009-03-10 02:04 · Score: 5, Informative

A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
Do ** NOT ** search Google for pifts.exe !! by AftanGustur · 2009-03-10 02:05 · Score: 5, Informative

Two top Google results are to sites which will try to infect your PC with malware.
The first one links to a blank page which will redirect in about 20 seconds to a malware site.
The second one is immediately flagged by Firefox as being a "Reported attack site".
This slashdot article is possibly a attack on the /. community.

--
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Re:use a better os by SatanicPuppy · 2009-03-10 02:08 · Score: 5, Insightful

You should run a virus scanner, just to keep from accidentally forwarding viral crap to other people. Infected files and attachments, etc. And assuming you're safe is equally foolish. I run plenty of security software on my linux boxes.
Norton, however, is a turd. Anyone who runs Norton gets what they deserve. It's like a parasite that eats cycles for no reason, and cannot be removed without killing the host.

--
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Zone Alarm boards info by D3 · 2009-03-10 02:09 · Score: 5, Informative

http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903

--
Do really dense people warp space more than others?
They would not answer my (a customer) question. by odeean · 2009-03-10 02:09 · Score: 5, Interesting

I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
Re:law enforcement back door by Iphtashu+Fitz · 2009-03-10 02:10 · Score: 5, Insightful

I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)
Re:Any idea what it is? by trold · 2009-03-10 02:17 · Score: 5, Insightful

The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.
So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.
Re:Do ** NOT ** search Google for pifts.exe !! by drsmack1 · 2009-03-10 02:22 · Score: 5, Informative

Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/

--
Humor from a Genetically Molested Mind
Strings in PIFTS.exe by Elphin · 2009-03-10 02:26 · Score: 5, Interesting

Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
1. Re:Strings in PIFTS.exe by vadim_t · 2009-03-10 02:58 · Score: 5, Informative
  
  Some interesting things in there:
  
  Software\Symantec\InstalledApps \PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08} Norton Internet Security SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine
  
  This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.
  
  http://stats.norton.com/n/p?module=2667
  
  Interesting, it reports stats to Norton somewhere, perhaps?
  
  &product=%s&version=%s &e=%d.%d.%d.%d &e=-1 &f=%d.%d.%d.%d &f=-1 &g=%d &g=-1 &h=%d &h=-1 &i=1 &i=0 &j=%s
  
  This seems to pretty clearly point to that an URL for a GET request is created for some purpose.
  
  PifEng.dll
  
  So there's a .DLL too, did anybody post that one?
  
  %s %d-%d-%d %dh%dm%ds.log
  
  There may be a .log file somewhere, named with a timestamp
  
  The ping url is %s
  
  Something that might appear in the log file, perhaps? What is it pinging, and why?
  
  d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
  
  Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.
2. Re:Strings in PIFTS.exe by vadim_t · 2009-03-10 03:20 · Score: 5, Informative
  
  Replying to myself,
  On reddit there's a link to a decompiled version.
  It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.
  So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.
An effort underway by Zexarious · 2009-03-10 02:26 · Score: 5, Interesting

There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
1. Re:An effort underway by krelian · 2009-03-10 02:48 · Score: 5, Funny
  
  Thanks for effort. I just hope you will have the time to do it while still following the other piece of news you have posted on your blog regarding the immediate annexation of Mexico by the U.S...
2. Re:An effort underway by Incitatus · 2009-03-10 02:51 · Score: 5, Funny
  
  There is an effort underway here http://chrysler5thavenue.blogspot.com/
  
  The previous blog entry on this site is that the US is annexing Mexico. Looks like a reliable source to me.
Weekend???? by Anonymous Coward · 2009-03-10 02:27 · Score: 5, Funny

Wow, you managed to uninstall Norton A/V in less than 48 hours????
Re:Any idea what it is? by pz · 2009-03-10 02:30 · Score: 5, Insightful

It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.
I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.
That said, I'm tired of this dribble. Unix (in the industrial versions) had / has nearly no viruses or malware because there were very few people using it in total numbers. There was and continues to be little to be gained by writing a virus for these systems: no press coverage, no botnet of millions of computers. It doesn't pay. It isn't worth the effort. Same for Linux: the market is still too small. Same used to be true for MacOS, but that's starting to change as it increases in popularity.
Contrast this with Windows boxes that are so ubiquitous that a half-talented virus writer has a decent chance of getting their malware into hardened sites like the Pentagon through social vectors (eg, an absent-minded worker who uses a USB key on both home and work computers by mistake).
Linux has no viruses because the market is too small. To think that it is immune to attack from malware is naive at best, and, more probably, self-deceptive. If Linux starts to enjoy 10, 20 or 30 percent market share, we will see Linux-targeted malware become a common nuisance. We already see Firefox-specific browser exploits (but for Windows boxes). FOSS isn't somehow magically immune from nuisance teenage activity or out-and-out criminal intent.
So, please, enough of the holier-than-thou attitude.

--

Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Windows Users Beware... by capnkr · 2009-03-10 02:35 · Score: 5, Interesting

As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)

--
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
1. Re:Windows Users Beware... by Crumplecorn · 2009-03-10 03:00 · Score: 5, Insightful
  
  Posting on Norton's forums is a fundamental human right?
2. Re:Windows Users Beware... by capnkr · 2009-03-10 03:05 · Score: 5, Interesting
  
  That does seem to be the case.
  Maybe not just Slashdot, but the whole intertubes is getting socially engineered... ;)
  1) Crack the NAV update process, inject a timed release 'pifts.exe'.
  2) At the appointed time, firewall alerts get users to start massive concurrent searches on 'pifts.exe', and while Norton tries to figure out WTF is going on, they make the deadly mistake of censoring their forums to disguise their bafflement, which creates huge internets buzz on various security and tech related sites like here and Digg and ZA.
  3) Have your malware sites primed and ready to go, optimized for the expected Google results, creating a nice giant influx of "new users" for your botnets.
  4) Profit!!!
  Okay, just joking... Possible, but highly unlikely. It will be interesting to see what this story turns out to be all about. :)
  
  --
  "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
3. Re:Windows Users Beware... by agrounds · 2009-03-10 03:29 · Score: 5, Funny
  
  Strawman? False Dichotomy? Slippery Slope?
  Man... where do I even begin to explain how bizarre this leap of logic is? Not even Evel Knievel could make this jump.
4. Re:Windows Users Beware... by Anonymous Coward · 2009-03-10 03:30 · Score: 5, Insightful
  
  Posting on Norton's forums is a fundamental human right?
  Welcome to Slashdot - you must be new here. Let me fill you in on how things work hereabouts.
  
  1. Free Speech applies to everything, all of the time, and you don't have to take responsibility for either your words or your actions, unless you are "Teh Man".
  
  2. The higher your UID, the more likely that you believe in 1. with religious fanaticism.
  
  3. Spelling and grammar don't count, no matter how poor.
  
  4. Neither do organization or coherence: You don't have to make sense, you just have to include enough buzzwords and generalities to sound good.
  
  5. Google is good.
  
  6. Apple is better.
  
  7. Information wants to be free as in beer, and you're entitled to everything for free.
  
  8. Copyright is an obsolete concept, unless you're referring to the GPL.
  
  9. Microsoft is always evil.
  
  10.Novell sold out.
  
  There you go! That's about all you need to know to fit in here. So, turn off your brain, spout a few platitudes, and bask in the warmth of the resulting karma.
5. Re:Windows Users Beware... by daenris · 2009-03-10 04:50 · Score: 5, Informative
  
  Original submitter of the article here (wasn't logged in last night). Clever maybe, but not the case. I got the popup from Norton last night asking me to allow or block this executable's internet connection attempt. It was around 10 o'clock I believe. The inital few threads on Norton's forum were completely legitimate and no one was throwing around conspiracy and virus accusations. The problem started when Norton mods started deleting the threads, and blocking the people who posted them from creating more. About 1:30 I went to bed, having found nothing concrete. At that time there were a number of posts around the net, most notably the Zone Alarm forum (since Norton was deleting things). At that point the Norton boards weren't being raided by 4chan at all -- that happened sometime overnight/this morning.
  The file is real -- I can send you a copy if you'd like -- and appears to be part of some Norton update. Really the only problem here, and what triggered everything was that Norton was trying to delete any mention of it from their forums. As many others have pointed out, this leads me to believe that either the file is something Norton doesn't want in the open because they're tracking/doing something they don't want us to know about (tracking personal info, rootkit, whatever) or that somehow the Norton update was compromised and sent out a file that they're desperately trying to cover up/fix.
  I haven't disassembled the file, but I was looking at it in a hex editor last night when I noticed all the ascii "PADDINGXX" at the end of the file, which strikes me as odd and doesn't seem to have a readily available reason to be in a legitimate file. There's no more code after the PADDINGXX sections, so it seems to be there only to ensure that the executable is a specific size.
6. Re:Windows Users Beware... by TimothyDavis · 2009-03-10 05:12 · Score: 5, Funny
  
  Not even Evel Knievel could make this jump.
  Is that because he is dead? Or because the gap is too far?
7. Re:Windows Users Beware... by daenris · 2009-03-10 05:17 · Score: 5, Interesting
  
  And after a quick check, it is indeed a side effect of some compilation, so nothing about the file really appears virusy anymore. The only suspicious points remaining are why the Norton mods were so eager to remove mention of it from their forums last night.
8. Re:Windows Users Beware... by cayenne8 · 2009-03-10 05:35 · Score: 5, Funny
  
  11. ...
  12. Profit???
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
9. Re:Windows Users Beware... by daenris · 2009-03-10 07:44 · Score: 5, Informative
  
  And the Washington Post has updated to include comments from Symantec
  
  Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.
  
  "We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.
  
  As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.
  
  "We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."
  
  In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.
  
  Of course, the problem with that justification for deletion being that 4chan spamming didn't start until sometime overnight or this morning. Hours earlier several completely legitimate question threads had been deleted with no explanation.
Nothing dangerous... by Manip · 2009-03-10 03:07 · Score: 5, Informative

I have a copy of PIFTS.exe now and am examining it.
Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation
My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.
It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.
Re:Any idea what it is? by Anonymous Coward · 2009-03-10 03:09 · Score: 5, Insightful

> Linux has no viruses because the market is too small
Well, even assuming this is the only reason (a bit questionable due to the situation with web servers), exploits usually are not particularly portable. And since each distribution compiles their own version, Linux reaching 50% market share actually might _not_ be enough, but what you would need might actually be a _single version_ of a _single distribution_ reaching 50%, which is far less likely.