Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

Rootkit?

[KingSkippus]

The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.

An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?

Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.

Probably just some anonymous report sender

[Vandil X]

It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.

Many default with the "Do not ask again" option checked, so once you click through...

(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)

James Bamford, you've let us all down...

[Em Emalb]

How come you didn't mention the NSA's backdoor into NAV?

For shame, sir, for shame.

lulz

[kunwon1]

I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.

Auto-update sent out a virus?

[ukyoCE]

Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.

The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.

Perhaps Norton thought they could send out a patch to clean it up before anyone found out?

Re:use a better os

[Anonymous Coward]

Nope. They can get malware. The difference is that an exploit doesn't need to take off in the wild for Linux to patch it, which is more than you can say for Microsoft.

I'm amazed at the kool-aid Microsoft has customers believing -- that it is actually a third party's responsibility to protect them from Microsoft's shoddy code.

Good riddance Norton

[Toreo asesino]

Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)

Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.

Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.

My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.

They would not answer my (a customer) question.

[odeean]

I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.

pifts is "invalid content" on the forums

[Anonymous Coward]

Tried to register at their forums with login 'pifts and got this:

"That login contains invalid content. Please choose a different login that does not contain 'pifts'."

Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...

Re:law enforcement back door

[eth1]

Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.

Re:Do ** NOT ** search Google for pifts.exe !!

[SpacePunk]

Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.

Re:PIFTS.asm (sorry for the bad formatting)

[MortenMW]

I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)

so what alternatives do we have?

[SuperBanana]

If this is the case, does this mean all major antivirus packages have these things? Have any been found "clean" by deep inspection of the installer etc?

For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...

Strings in PIFTS.exe

[Elphin]

Here's a dump of strings found in the pifts.exe on pastebin:

http://pastebin.com/m1e207a78

Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?

An effort underway

[Zexarious]

There is an effort underway here http://chrysler5thavenue.blogspot.com/ [blogspot.com] to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k [mediafire.com] (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).

Re:use a better os

[yossarianuk]

The difference is how linux gets rootkits. It nearly all cases I have seen it is due to poor security/vulnerabilities in a web/ftp,etc server. NOT from clicking on a random link / putting in a USB stick / just being on the internet. I personally haven't ever seen a Linux desktop with a virus. Windows spreads virus's in the same way AIDS spreads.

Windows Users Beware...

[capnkr]

As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.

Did /. just get social engineered?

(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)

Re:law enforcement back door

[Rasit]

People are claiming this [iseclab.org] is a analysis of PIFTS.exe. I have no way to verify that this really is the norton PIFTS.exe so keep that in mind.

Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.

medium

Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.

high

Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

low

Re:Windows Users Beware...

[AftanGustur]

The sites on top of Google searches for pifts.exe are just standard malware sites which populate themselves automatically with keywords from google trends.

Re:use a better os

[AnalPerfume]

Actually malware compatibility helps Microsoft sales. Around 80% of Windows sales are new PC's with Windows pre-installed. If Windows was properly secure and stable it wouldn't get hosed within 6 months and need wiping / reinstalling. Many people don't know how to do this so they either pay to get their Windows fixed, or assume they need a new PC.

On the "use another OS" point, I already do.....and I feel left out that I won't be able to experience this latest suspicious .exe. Sometimes I miss that fun.

Given the way Norton are running around trying to silence the reports I'd guess it is something they hoped they could slip in and nobody would notice, which in itself is a dodgy position for a company who's entire business is based on "trust us to protect your interests from dodgy .exe files". As a company who rely on the internet for customers (no internet? vastly reduced flow of malware) they really should know better than to assume they can silence a story like this by putting lots of staff on "deleting forum posts and replies" duty. Bloggers and sites like this one will be all over it, and like anything else, trying to cover it up will make you guilty to many observers who don't read the details or updates to the story.

Perhaps Norton have fallen for their own ego and have started to make assumptions on what they can get away with. How many people install Norton by choice? I'd bet most of their customers are new PC owners with shareware Norton which tells them after a while to "pay up or remove", and they don't know there are alternatives, let alone better and cheaper / free alternatives. Like AOL they'll have a high customer turnover as people gradually realize how bad their product is, and find (or be recommended) an alternative one. As long as there are plenty new chumps who are new to computers they will have new revenue to replace the disillusioned. When that starts to dry up, Norton are gonna be fucked, not unlike AOL.

Re:Windows Users Beware...

[capnkr]

That does seem to be the case.

Maybe not just Slashdot, but the whole intertubes is getting socially engineered... ;)

1) Crack the NAV update process, inject a timed release 'pifts.exe'.
2) At the appointed time, firewall alerts get users to start massive concurrent searches on 'pifts.exe', and while Norton tries to figure out WTF is going on, they make the deadly mistake of censoring their forums to disguise their bafflement, which creates huge internets buzz on various security and tech related sites like here and Digg and ZA.
3) Have your malware sites primed and ready to go, optimized for the expected Google results, creating a nice giant influx of "new users" for your botnets.
4) Profit!!!

Okay, just joking... Possible, but highly unlikely. It will be interesting to see what this story turns out to be all about. :)

Re:Rootkit? Nice timing

[Tony Hoyle]

Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).

Avast is pretty good... you can switch the nag screen off.

Re:Windows Users Beware...

[Qzukk]

"Censorship" is done by governments

Censorship is done by people who censor, and has nothing to do with government at all. The only connection it has to government is the prevailing belief that it's "bad" when government does it and "ok" when anyone else does it.

Re:Rootkit?

[Eil]

The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS

And as well they should be. Don't confuse OS security systems with DRM. Although their methods can be similar, the primary difference between them is control. With a system like SELinux, the user (or admin) controls what is allowed and what is not on their systems. I *want* the fine-grained ability to control what goes on in my software environment, but I don't want a faceless company holding all of the keys and telling me what I can and cannot do with the hardware (and software) that I rightfully possess the license to use.

This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.

Not to go all RMS, but until Microsoft and/or Symantec open source the entirety of their code, any security system that they introduce to their products cannot be trusted as it cannot be verified as secure by the people who want to use it.

Oh please....

[EddyPearson]

FUD at it's best! This is what you get when your primary news source is 4chan.

The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.

The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.

Re:Norton starting to respond?

[bittmann]

Holy cow! Now the thread which had been responded to by a Norton employee has been deleted!

From a recent post [norton.com] on the Norton forum:

To my limited knowledge, that program is legitmately delivered in a LiveUpdate package.

The topics are deleted because it appears that somebody is abusing this system and some legitimate posts may be the collateral damage associated with dealing with this abuse.

-Reese Anschultz
Sr. SQA Manager
Symantec Corporation

The News Within The Non-News

[Crash Culligan]

When I first saw this here, the first place I looked for additional information was the Internet Storm Center [sans.org], where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.

Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:

In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...

While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.

Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.

Re:Windows Users Beware...

[daenris]

And after a quick check, it is indeed a side effect [codeproject.com] of some compilation, so nothing about the file really appears virusy anymore. The only suspicious points remaining are why the Norton mods were so eager to remove mention of it from their forums last night.

Re:Windows Users Beware...

[Anonymous Coward]

The file is real -- I can send you a copy if you'd like

Please post a copy to mediafire. I for one would like to take a look at it.
Thanks.

Re:Windows Users Beware...

[Actually, I do RTFA]

Posting on Norton's forums is a fundamental human right?

To the degree that Norton does not exist except as a legal construct by state and federal law, I would claim that corporations inherit similar obligations as the government. Examples abound-- they cannot refuse to sell you products or hire you because of race or gender. They don't have to invent jobs, but they do have to be fair about giving them out. Similarly, they don't have to create a forum, but they have* to be fair in letting people post there.

*Not under current law, but under how the law should be written.

To preempt strawmen counter-arguments: You cannot post [insert obviously bad thing], just like a minority that showed up to work incapable of performing the job is not protected. However, since this is topical, your attempt to create a bad situation where the line would be drawn somewhere else is irrelevent.

PIFTS.EXE

[doug520]

What I don't understand is that I got the PIFTS.EXE warning from McAfee, not Norton. I originally had an OEM Norton installation on my notebook PC, but immediately removed it, months ago, as our corporate standard is McAfee. But it seems that the removal was far from complete; on closer examination there's still a Norton process and service running, and apparently these triggered an update and the subsequent McAfee alert. So my question is, what is a Norton process doing on my computer, when I ran the default uninstall routine and it terminated normally?

Re:Windows Users Beware...

[capnkr]

Reading the various forums and comments, I also noticed that there were/are several people who have checked their logs and seen that the 'pifts.exe' file was uploaded to their system several days prior to the "3 hour window" in which the patch was distributed/activated last night (this info is according to the Symantec spokesperson official statements I have seen so far).

It is obvious that Symantec really fumbled the ball, PR-wise. Yet even as they have picked it back up, their statements on what happened do not seem cohesive with the experiences of people that I've read in many different places. I still feel "It will be interesting to see what this story turns out to be all about.", because I don't think that the full truth about this has come out. Too many inconsistencies...