Norton Users Worried By PIFTS.exe, Stonewalling By Symantec 685
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
Rootkit? (Score:5, Interesting)
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
Probably just some anonymous report sender (Score:5, Interesting)
Many default with the "Do not ask again" option checked, so once you click through...
(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
James Bamford, you've let us all down... (Score:2, Interesting)
How come you didn't mention the NSA's backdoor into NAV?
For shame, sir, for shame.
lulz (Score:4, Interesting)
Auto-update sent out a virus? (Score:5, Interesting)
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
Re:use a better os (Score:1, Interesting)
Nope. They can get malware. The difference is that an exploit doesn't need to take off in the wild for Linux to patch it, which is more than you can say for Microsoft.
I'm amazed at the kool-aid Microsoft has customers believing -- that it is actually a third party's responsibility to protect them from Microsoft's shoddy code.
Good riddance Norton (Score:5, Interesting)
Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)
Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.
Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.
My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.
They would not answer my (a customer) question. (Score:5, Interesting)
pifts is "invalid content" on the forums (Score:3, Interesting)
Tried to register at their forums with login 'pifts and got this:
Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...
Re:law enforcement back door (Score:5, Interesting)
Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.
Re:Do ** NOT ** search Google for pifts.exe !! (Score:3, Interesting)
Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.
Re:PIFTS.asm (sorry for the bad formatting) (Score:4, Interesting)
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
so what alternatives do we have? (Score:3, Interesting)
For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...
Strings in PIFTS.exe (Score:5, Interesting)
Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
An effort underway (Score:5, Interesting)
Re:use a better os (Score:2, Interesting)
Windows Users Beware... (Score:5, Interesting)
As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)
Re:law enforcement back door (Score:3, Interesting)
Re:Windows Users Beware... (Score:3, Interesting)
Re:use a better os (Score:2, Interesting)
Actually malware compatibility helps Microsoft sales. Around 80% of Windows sales are new PC's with Windows pre-installed. If Windows was properly secure and stable it wouldn't get hosed within 6 months and need wiping / reinstalling. Many people don't know how to do this so they either pay to get their Windows fixed, or assume they need a new PC.
On the "use another OS" point, I already do.....and I feel left out that I won't be able to experience this latest suspicious .exe. Sometimes I miss that fun.
Given the way Norton are running around trying to silence the reports I'd guess it is something they hoped they could slip in and nobody would notice, which in itself is a dodgy position for a company who's entire business is based on "trust us to protect your interests from dodgy .exe files". As a company who rely on the internet for customers (no internet? vastly reduced flow of malware) they really should know better than to assume they can silence a story like this by putting lots of staff on "deleting forum posts and replies" duty. Bloggers and sites like this one will be all over it, and like anything else, trying to cover it up will make you guilty to many observers who don't read the details or updates to the story.
Perhaps Norton have fallen for their own ego and have started to make assumptions on what they can get away with. How many people install Norton by choice? I'd bet most of their customers are new PC owners with shareware Norton which tells them after a while to "pay up or remove", and they don't know there are alternatives, let alone better and cheaper / free alternatives. Like AOL they'll have a high customer turnover as people gradually realize how bad their product is, and find (or be recommended) an alternative one. As long as there are plenty new chumps who are new to computers they will have new revenue to replace the disillusioned. When that starts to dry up, Norton are gonna be fucked, not unlike AOL.
Re:Windows Users Beware... (Score:5, Interesting)
That does seem to be the case.
Maybe not just Slashdot, but the whole intertubes is getting socially engineered... ;)
1) Crack the NAV update process, inject a timed release 'pifts.exe'.
2) At the appointed time, firewall alerts get users to start massive concurrent searches on 'pifts.exe', and while Norton tries to figure out WTF is going on, they make the deadly mistake of censoring their forums to disguise their bafflement, which creates huge internets buzz on various security and tech related sites like here and Digg and ZA.
3) Have your malware sites primed and ready to go, optimized for the expected Google results, creating a nice giant influx of "new users" for your botnets.
4) Profit!!!
Okay, just joking... Possible, but highly unlikely. It will be interesting to see what this story turns out to be all about. :)
Re:Rootkit? Nice timing (Score:3, Interesting)
Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).
Avast is pretty good... you can switch the nag screen off.
Re:Windows Users Beware... (Score:5, Interesting)
"Censorship" is done by governments
Censorship is done by people who censor, and has nothing to do with government at all. The only connection it has to government is the prevailing belief that it's "bad" when government does it and "ok" when anyone else does it.
Re:Rootkit? (Score:3, Interesting)
And as well they should be. Don't confuse OS security systems with DRM. Although their methods can be similar, the primary difference between them is control. With a system like SELinux, the user (or admin) controls what is allowed and what is not on their systems. I *want* the fine-grained ability to control what goes on in my software environment, but I don't want a faceless company holding all of the keys and telling me what I can and cannot do with the hardware (and software) that I rightfully possess the license to use.
Not to go all RMS, but until Microsoft and/or Symantec open source the entirety of their code, any security system that they introduce to their products cannot be trusted as it cannot be verified as secure by the people who want to use it.
Oh please.... (Score:3, Interesting)
FUD at it's best! This is what you get when your primary news source is 4chan.
The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.
The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.
Re:Norton starting to respond? (Score:3, Interesting)
The News Within The Non-News (Score:5, Interesting)
When I first saw this here, the first place I looked for additional information was the Internet Storm Center [sans.org], where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.
Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:
In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...
While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.
Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.
Re:Windows Users Beware... (Score:5, Interesting)
Re:Windows Users Beware... (Score:1, Interesting)
Please post a copy to mediafire. I for one would like to take a look at it.
Thanks.
Re:Windows Users Beware... (Score:3, Interesting)
To the degree that Norton does not exist except as a legal construct by state and federal law, I would claim that corporations inherit similar obligations as the government. Examples abound-- they cannot refuse to sell you products or hire you because of race or gender. They don't have to invent jobs, but they do have to be fair about giving them out. Similarly, they don't have to create a forum, but they have* to be fair in letting people post there.
*Not under current law, but under how the law should be written.
To preempt strawmen counter-arguments: You cannot post [insert obviously bad thing], just like a minority that showed up to work incapable of performing the job is not protected. However, since this is topical, your attempt to create a bad situation where the line would be drawn somewhere else is irrelevent.
PIFTS.EXE (Score:2, Interesting)
Re:Windows Users Beware... (Score:4, Interesting)
Reading the various forums and comments, I also noticed that there were/are several people who have checked their logs and seen that the 'pifts.exe' file was uploaded to their system several days prior to the "3 hour window" in which the patch was distributed/activated last night (this info is according to the Symantec spokesperson official statements I have seen so far).
It is obvious that Symantec really fumbled the ball, PR-wise. Yet even as they have picked it back up, their statements on what happened do not seem cohesive with the experiences of people that I've read in many different places. I still feel "It will be interesting to see what this story turns out to be all about.", because I don't think that the full truth about this has come out. Too many inconsistencies...