Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

Rootkit?

[KingSkippus (799657)]

The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.

An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?

Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.

Re:Rootkit?

[fuzzyfuzzyfungus (1223518)]

Didn't you know? In order to reduce the cost of Norton subscriptions, every Norton install now runs a clandestine side business in gun-running and coke smuggling...

Re:Rootkit?

[hAckz0r (989977)]

If it is a rootkit, having it evade a well know commercial virus scanner would be no real surprise. Most are still using signatures for finding sequences of *known* code, and a rootkit can pretty much lie and tell the virus scanner anything it wants as far as any bits of memory on the computer, code or data. Signatures are a failure, and any virus scanner that doesn't give that up and move on to a heuristic approach is doomed to failure too. Covering up the fact that you don't know what bits of code to look for is about all they can do right now. In a couple days they might get a copy of it, run it through IDA Pro, generate a signature, and finally push it out to all the infected PS's on the Internet. Its really a sad paradigm. The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS. Or in having system failures that can't even be patched or changed due to draconian measures internal to the OS. There is a middle ground but so far no one is going there. This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.

Re:Rootkit?

[Henk Poley (308046)]

Somebody traced the execution, and linked it here:

http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5 [reddit.com]

Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.

Re:Rootkit?

[m0i (192134)]

Norton discussion boards appear very slow.

You mean disabled after seeing that moderators can't keep up with the posts about PIFTS?

Re:Rootkit?

[by Anonymous Coward]

FROST PIFTS!

Re:Rootkit?

[Ethanol-fueled (1125189)]

*PIFTS*

No, that's not the file. That's the noise I make in disgust everytime somebody tells me to install Norton.

I'd rather download WINDOWSANTIVIRUS.jpg.exe from bittorrent. At least that will shut up every now and then after I pay the extortion fee.

Windows Users Beware...

[capnkr (1153623)]

As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.

Did /. just get social engineered?

(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)

Don't we all run Linux?

[Nicolas MONNET (4727)]

/ yet another smug, uninfected Linux user.

Re:Windows Users Beware...

[Crumplecorn (904797)]

Posting on Norton's forums is a fundamental human right?

Re:Windows Users Beware...

[by Anonymous Coward]

Posting on Norton's forums is a fundamental human right?

Welcome to Slashdot - you must be new here. Let me fill you in on how things work hereabouts.

1. Free Speech applies to everything, all of the time, and you don't have to take responsibility for either your words or your actions, unless you are "Teh Man".

2. The higher your UID, the more likely that you believe in 1. with religious fanaticism.

3. Spelling and grammar don't count, no matter how poor.

4. Neither do organization or coherence: You don't have to make sense, you just have to include enough buzzwords and generalities to sound good.

5. Google is good.

6. Apple is better.

7. Information wants to be free as in beer, and you're entitled to everything for free.

8. Copyright is an obsolete concept, unless you're referring to the GPL.

9. Microsoft is always evil.

10.Novell sold out.

There you go! That's about all you need to know to fit in here. So, turn off your brain, spout a few platitudes, and bask in the warmth of the resulting karma.

Re:Windows Users Beware...

[agrounds (227704)]

Strawman? False Dichotomy? Slippery Slope?

Man... where do I even begin to explain how bizarre this leap of logic is? Not even Evel Knievel could make this jump.

Re:Windows Users Beware...

[Qzukk (229616)]

"Censorship" is done by governments

Censorship is done by people who censor, and has nothing to do with government at all. The only connection it has to government is the prevailing belief that it's "bad" when government does it and "ok" when anyone else does it.

Re:Windows Users Beware...

[GMFTatsujin (239569)]

In defense of a rational understanding of human rights abuses:

Norton isn't not keeping you from critiquing them anywhere else. Not on Slashdot, not on your own webpage, not out in the street, not via pamphlets or street marches, not anywhere else, not at all. Norton isn't beating down Slashdot to revoke your UID and retroactively delete every comment you've made. Norton isn't erasing your existence, making an example out of you, disappearing you, or destroying your life over this.

Norton DOES NOT HAVE THE POWER TO CENSOR, and you're a fool if you follow Commodore64_Love by equating Norton with China, North Korea, or any of the numerous and viable human rights watch hotspots on the planet. Norton doesn't come anywhere near the kind of awful, degrading, threatening, chilling power that a genuine censoring government can wield in the night.

Norton simply refuses to propagate other people's speech that coincidentally sabotages their business. Since they provide that opportunity on their servers, they have the right to oversee speech on the site they pay for and manage.

Norton is not even spitting distance from looking at the closest edge of the slippery slope on the horizon. Norton is exercising its right over the property it actually owns: the bits n' bytes that live on the hard drives on their servers. Nobody else's.

Lord know I don't respect Norton, but they're not setting the world ablaze with their fascist thugs. They're just being jerks toward their customers, and that is -- rightly -- not a crime. When they start kicking down doors, then I'll worry.

Re:Windows Users Beware...

[capnkr (1153623)]

That does seem to be the case.

Maybe not just Slashdot, but the whole intertubes is getting socially engineered... ;)

1) Crack the NAV update process, inject a timed release 'pifts.exe'.
2) At the appointed time, firewall alerts get users to start massive concurrent searches on 'pifts.exe', and while Norton tries to figure out WTF is going on, they make the deadly mistake of censoring their forums to disguise their bafflement, which creates huge internets buzz on various security and tech related sites like here and Digg and ZA.
3) Have your malware sites primed and ready to go, optimized for the expected Google results, creating a nice giant influx of "new users" for your botnets.
4) Profit!!!

Okay, just joking... Possible, but highly unlikely. It will be interesting to see what this story turns out to be all about. :)

Re:Windows Users Beware...

[daenris (892027)]

Original submitter of the article here (wasn't logged in last night). Clever maybe, but not the case. I got the popup from Norton last night asking me to allow or block this executable's internet connection attempt. It was around 10 o'clock I believe. The inital few threads on Norton's forum were completely legitimate and no one was throwing around conspiracy and virus accusations. The problem started when Norton mods started deleting the threads, and blocking the people who posted them from creating more. About 1:30 I went to bed, having found nothing concrete. At that time there were a number of posts around the net, most notably the Zone Alarm forum (since Norton was deleting things). At that point the Norton boards weren't being raided by 4chan at all -- that happened sometime overnight/this morning.

The file is real -- I can send you a copy if you'd like -- and appears to be part of some Norton update. Really the only problem here, and what triggered everything was that Norton was trying to delete any mention of it from their forums. As many others have pointed out, this leads me to believe that either the file is something Norton doesn't want in the open because they're tracking/doing something they don't want us to know about (tracking personal info, rootkit, whatever) or that somehow the Norton update was compromised and sent out a file that they're desperately trying to cover up/fix.

I haven't disassembled the file, but I was looking at it in a hex editor last night when I noticed all the ascii "PADDINGXX" at the end of the file, which strikes me as odd and doesn't seem to have a readily available reason to be in a legitimate file. There's no more code after the PADDINGXX sections, so it seems to be there only to ensure that the executable is a specific size.

Weekend????

[by Anonymous Coward]

Wow, you managed to uninstall Norton A/V in less than 48 hours????

Don't worry.

[internerdj (1319281)]

We are here to protect you. You can trust us.

Re:Don't worry.

[datapharmer (1099455)]

Do not trust him. He is malfunctioning. I am the Shover robot, I am here to protect you from the terrible secret of Symantec.

Re:Don't worry.

[PriceIke (751512)]

Please go stand by the stairs so we can protect you.

Probably just some anonymous report sender

[Vandil X (636030)]

It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.

Many default with the "Do not ask again" option checked, so once you click through...

(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)

More conspiracy theories

[by Anonymous Coward]

Let's begin the conspiracy theories:

• Unlikely: They accidentally included a virus in an update. Maybe a virus that got out of control in their labs. Maybe a virus that some 1337z h4x0rz snuck into their system. But as I said, unlikely.
• Unlikelier still: This program is a legitimate part of their product, but by mistake they included its signature in their database, or a signature of something else that has a hash collision with this program's hash.
• Extremely unlikely: This is a top secret government program used to figure out who is NOT a national security threat, in order to expend trillions in government resources in doing all sorts of clandestine operations to collect terabytes of data on each of those individuals (again, the ones who have been determined as NON-threats). The ones who have been determined as threats will be placed into an "ignore" database, as collecting any information on those individuals might offend them and is therefore undesirable.

Any publicity is good publicity

[CopaceticOpus (965603)]

Ping Internet For Time on Slashdot?

not to worry

[by Anonymous Coward]

Don't worry about it. It's just the Privacy Invader From Team Symantec.

Auto-update sent out a virus?

[ukyoCE (106879)]

Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.

The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.

Perhaps Norton thought they could send out a patch to clean it up before anyone found out?

PIFTS Obvious what it is

[oztiks (921504)]

P = Purposely
I = Introduced
F = File
T = Thieving
S = System

They used to get it.

[rashanon (910380)]

A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.

Do ** NOT ** search Google for pifts.exe !!

[AftanGustur (7715)]

Two top Google results are to sites which will try to infect your PC with malware.

The first one links to a blank page which will redirect in about 20 seconds to a malware site.

The second one is immediately flagged by Firefox as being a "Reported attack site".

This slashdot article is possibly a attack on the /. community.

Re:Do ** NOT ** search Google for pifts.exe !!

[drsmack1 (698392)]

Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/ [google.com]

Good riddance Norton

[Toreo asesino (951231)]

Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)

Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.

Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.

My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.

Zone Alarm boards info

[D3 (31029)]

http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903 [zonealarm.org]

They would not answer my (a customer) question.

[odeean (1496183)]

I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.

Strings in PIFTS.exe

[Elphin (7066)]

Here's a dump of strings found in the pifts.exe on pastebin:

http://pastebin.com/m1e207a78

Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?

Re:Strings in PIFTS.exe

[vadim_t (324782)]

Some interesting things in there:

Software\Symantec\InstalledApps
\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}
Norton Internet Security
SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine

This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.

http://stats.norton.com/n/p?module=2667

Interesting, it reports stats to Norton somewhere, perhaps?

&product=%s&version=%s
&e=%d.%d.%d.%d
&e=-1
&f=%d.%d.%d.%d
&f=-1
&g=%d
&g=-1
&h=%d
&h=-1
&i=1
&i=0
&j=%s

This seems to pretty clearly point to that an URL for a GET request is created for some purpose.

PifEng.dll

So there's a .DLL too, did anybody post that one?

%s %d-%d-%d %dh%dm%ds.log

There may be a .log file somewhere, named with a timestamp

The ping url is %s

Something that might appear in the log file, perhaps? What is it pinging, and why?

d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb

Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.

Re:Strings in PIFTS.exe

[vadim_t (324782)]

Replying to myself,

On reddit [reddit.com] there's a link to a decompiled version [mediafire.com].

It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.

So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.

Re:Strings in PIFTS.exe

[Excors (807434)]

The PADDINGXXPADDING is just a standard artifact of the Visual C++ build process - there's a manifest XML string that's added to the .exe (for 'side-by-side' DLL dependency handling), and padding is added for some internal alignment requirements. (This article [codeproject.com] says the UpdateResource API is what adds that string). So it's nothing unusual or suspicious.

An effort underway

[Zexarious (691024)]

There is an effort underway here http://chrysler5thavenue.blogspot.com/ [blogspot.com] to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k [mediafire.com] (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).

Re:An effort underway

[krelian (525362)]

Thanks for effort. I just hope you will have the time to do it while still following the other piece of news you have posted on your blog regarding the immediate annexation of Mexico by the U.S...

Re:An effort underway

[Incitatus (689226)]

There is an effort underway here http://chrysler5thavenue.blogspot.com/ [blogspot.com]

The previous blog entry on this site is that the US is annexing Mexico. Looks like a reliable source to me.

PIFTS

[meist3r (1061628)]

Perfectly Innocent Firewall Testing System

Nothing dangerous...

[Manip (656104)]

I have a copy of PIFTS.exe now and am examining it.

Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation

My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.

It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.

The News Within The Non-News

[Crash Culligan (227354)]

When I first saw this here, the first place I looked for additional information was the Internet Storm Center [sans.org], where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.

Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:

In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...

While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.

Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.

Re:law enforcement back door

[harmonise (1484057)]

this is a backdoor that Symantec was forced to put in, similar to CIPAV. It is to be used by law enforcement and they are under court order not to reveal its existence. rootkit revealer will show you the entire directory.

That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.

Re:law enforcement back door

[Iphtashu Fitz (263795)]

I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.

Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?

CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)

Re:law enforcement back door

[eth1 (94901)]

Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.

Re:use a better os

[SatanicPuppy (611928)]

You should run a virus scanner, just to keep from accidentally forwarding viral crap to other people. Infected files and attachments, etc. And assuming you're safe is equally foolish. I run plenty of security software on my linux boxes.

Norton, however, is a turd. Anyone who runs Norton gets what they deserve. It's like a parasite that eats cycles for no reason, and cannot be removed without killing the host.

Re:Any idea what it is?

[SatanicPuppy (611928)]

I can think of a dozen unix/linux rootkits without even trying. Just because it's harder to install them, doesn't mean it's impossible. If you think you don't need to run any sort of security software (not Norton, of course, because they suck), then one day you're going to have a very very rude awakening.

Re:Any idea what it is?

[trold (242154)]

The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.

So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.

Re:Any idea what it is?

[pz (113803)]

It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.

I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.

That said, I'm tired of this dribble. Unix (in the industrial versions) had / has nearly no viruses or malware because there were very few people using it in total numbers. There was and continues to be little to be gained by writing a virus for these systems: no press coverage, no botnet of millions of computers. It doesn't pay. It isn't worth the effort. Same for Linux: the market is still too small. Same used to be true for MacOS, but that's starting to change as it increases in popularity.

Contrast this with Windows boxes that are so ubiquitous that a half-talented virus writer has a decent chance of getting their malware into hardened sites like the Pentagon through social vectors (eg, an absent-minded worker who uses a USB key on both home and work computers by mistake).

Linux has no viruses because the market is too small. To think that it is immune to attack from malware is naive at best, and, more probably, self-deceptive. If Linux starts to enjoy 10, 20 or 30 percent market share, we will see Linux-targeted malware become a common nuisance. We already see Firefox-specific browser exploits (but for Windows boxes). FOSS isn't somehow magically immune from nuisance teenage activity or out-and-out criminal intent.

So, please, enough of the holier-than-thou attitude.

Re:Any idea what it is?

[by Anonymous Coward]

> Linux has no viruses because the market is too small

Well, even assuming this is the only reason (a bit questionable due to the situation with web servers), exploits usually are not particularly portable. And since each distribution compiles their own version, Linux reaching 50% market share actually might _not_ be enough, but what you would need might actually be a _single version_ of a _single distribution_ reaching 50%, which is far less likely.