Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec 685

Posted by timothy
from the and-nobody-saw-me dept.
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
This discussion has been archived. No new comments can be posted.

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

Comments Filter:
  • Rootkit? (Score:5, Interesting)

    by KingSkippus (799657) * on Tuesday March 10, 2009 @09:42AM (#27133687) Homepage Journal

    The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.

    An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?

    Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.

    • Re:Rootkit? (Score:5, Funny)

      by fuzzyfuzzyfungus (1223518) on Tuesday March 10, 2009 @09:57AM (#27133895) Journal
      Didn't you know? In order to reduce the cost of Norton subscriptions, every Norton install now runs a clandestine side business in gun-running and coke smuggling...
      • Re: (Score:3, Informative)

        by Miseph (979059)

        If that really were the answer I could almost respect it... I mean really, it works pretty well for the CIA.

        • Re:Rootkit? (Score:4, Insightful)

          by JWSmythe (446288) <jwsmythe@@@jwsmythe...com> on Tuesday March 10, 2009 @11:18AM (#27135057) Homepage Journal

              Oh, that would be hilarious ... if it wasn't true.

              People never quite understand that the government has the most to gain by making things illegal. Not only do they get fines and other penalties from those who are in that industry, but it allows them to keep the market value overinflated and they can squeeze out any other big players by simply leaking information on them to local law enforcement or other federal agencies.

              There's nothing like having a C130 loaded with guns or drugs (or both), and simply saying "You don't see this plane. It was never here." You only hear about the ones where the planes have crashed inconveniently in the wrong place, and the site wasn't able to be isolated before the news leaked.

              Really, it does give some control, and an acceptable covert budget. Things are going to be smuggled in anyways, why can't the gov't make a profit on it? :)

              Excuse me. There's a black van outside, and some nice man knocking on my door.

              Hello?

              [thud]

    • Re:Rootkit? (Score:5, Insightful)

      by hAckz0r (989977) on Tuesday March 10, 2009 @10:09AM (#27134059)
      If it is a rootkit, having it evade a well know commercial virus scanner would be no real surprise. Most are still using signatures for finding sequences of *known* code, and a rootkit can pretty much lie and tell the virus scanner anything it wants as far as any bits of memory on the computer, code or data. Signatures are a failure, and any virus scanner that doesn't give that up and move on to a heuristic approach is doomed to failure too. Covering up the fact that you don't know what bits of code to look for is about all they can do right now. In a couple days they might get a copy of it, run it through IDA Pro, generate a signature, and finally push it out to all the infected PS's on the Internet. Its really a sad paradigm. The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS. Or in having system failures that can't even be patched or changed due to draconian measures internal to the OS. There is a middle ground but so far no one is going there. This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.
    • Re:Rootkit? (Score:5, Informative)

      by Henk Poley (308046) on Tuesday March 10, 2009 @10:26AM (#27134309) Homepage

      Somebody traced the execution, and linked it here:

      http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/c0857t5 [reddit.com]

      Furthermore 4chan's /b/ seems to have a field day with this. Norton discussion boards appear very slow.

    • Re:Rootkit? (Score:4, Insightful)

      by mcgrew (92797) on Tuesday March 10, 2009 @12:18PM (#27136171) Homepage Journal

      Have we learned nothing from Sony's stupidity?

      They never went bankrupt or even suffered a financial loss. Nobody got fired for it, nobody went to jail for it, so I'd say they did learn from XCP.

      They learned that placing rootkits on ordinary peoples' computers has no consequences whatever. Why not do it, particularly if you lack ethics or morals?

    • Re:Rootkit? (Score:5, Insightful)

      by HermMunster (972336) on Tuesday March 10, 2009 @01:06PM (#27136867)

      Peter Norton came from the mainframe world and created useful utilities for the end user of PCs and compatibles. He was a solid programmer and created a solid company. Symantec purchased him and his competition. We no longer have utilities designed by these companies.

      Instead we have a company using his name. That's it. There really is no Norton any more. It's barely even a brand.

      I tell people that when comparing the free antivirus utilities vs. the paid take the free, as long as they are of reputable means. The reason is that the antivirus side of things is pretty straight forward. Free does a very good job these days, and no matter how you look at it you always need a compliment of utilities anyway (e.g., Spybot S&D 1.6.2, Ad-Aware 2008 (the latest version is unstable), Windows Defender, and AV such as AVG 8).

      The paid commercial product has to compete with these free competent products (and I should know I use them to clean computers every day). When the paid commercial products are released they full of bloat and attempt to integrate themselves do deeply into the OS, so much so that they become the cure worse than the disease.

      Not only that the commercial products have tended over time to make customers paranoid. They need to to keep them purchasing their products. A realistic schedule for scanning, once you know your system is clean, along with continued updates for the OS, is all you need--you can be certain you don't need a paranoid schedule such as every day, every week or even every two weeks.

      The flip side is that if you get so relaxed about your security you won't do it at all.

      Stay away from Norton and McAfee. They are bulky, they are paranoid about their own customers constantly requiring verification of subscription just to get updates (McAfee anyone?).

      Stay away from the gimmick. Do you need that toolbar? The 3rd or 4th one in your IE, or even FF? If you don't understand what the toolbars are doing you shouldn't be installing them. What are they doing? They want you to log in, just like Google and Yahoo. They want to track you and your web pages for targeted ads. I'm not saying that Google and Yahoo are gimmick software used to bait you to install malware, but I am saying that there are plenty of them that do and they are taking their directions from the likes of Google and Yahoo. The more toolbars you have the more search engine choices you install. Choose one and stick to it. Stay away from anything that's a gimmick because it is bound to get you in trouble. Windows itself never pops up a dialog box saying to buy this or that software product. Those are fake. Downloading codecs from an innocent site can also get you in trouble and you should set your system to ensure that you don't automatically download codecs.

      The bottom line is that commercial software is bloated and creates paranoia, and for good reason--they die as a company if you don't resubscribe. The free products do just as good a job as the commercial. And you can't get away with just one product to defend your system anyway. It takes a compliment of them. Stay away from the gimmick. Uninstall your extraneous toolbars (or all of them for that matter). Your web browser is to browse pages not to be served ads or to be tracked by a product that you don't know is tracking you.

  • by internerdj (1319281) on Tuesday March 10, 2009 @09:45AM (#27133723)
    We are here to protect you. You can trust us.
  • by Vandil X (636030) on Tuesday March 10, 2009 @09:46AM (#27133733)
    It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.

    Many default with the "Do not ask again" option checked, so once you click through...

    (* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
  • use a better os (Score:3, Insightful)

    by yossarianuk (1402187) on Tuesday March 10, 2009 @09:47AM (#27133745)
    you could always use a system where you dont need norton.
    • Re:use a better os (Score:5, Insightful)

      by SatanicPuppy (611928) * <`moc.liamg' `ta' `yppupcinataS'> on Tuesday March 10, 2009 @10:08AM (#27134039) Journal

      You should run a virus scanner, just to keep from accidentally forwarding viral crap to other people. Infected files and attachments, etc. And assuming you're safe is equally foolish. I run plenty of security software on my linux boxes.

      Norton, however, is a turd. Anyone who runs Norton gets what they deserve. It's like a parasite that eats cycles for no reason, and cannot be removed without killing the host.

      • Re: (Score:3, Funny)

        >>>Norton is a turd....It's like a parasite that eats cycles for no reason

        I have McAfee on my new laptop. Is that any better, or should I remove it immediately? Why or why not?

      • Re: (Score:3, Insightful)

        by jambarama (784670)
        On the other hand, I think Symantec Corporate is pretty decent A/V. When I got it free in grad school I was pretty happy with it anyway - in my experience it doesn't eat many CPU cycles, it has a low false rate, and lots of nice command line executables & options. According to the AV tests I've seen, it has a reasonable detection rate, not kapersky good, but a lot better than most alternatives (surprisingly - much better than Norton).
        • Re: (Score:3, Informative)

          by rabbit994 (686936)

          No, Symantec Endpoint Protection is just as crappy. It's not Norton level of shit but it's there. It still likes to eat CPU cycles for no reason and randomly crash. Also, as added feature, it marks many Windows Network tools like Angry IP Scanner, Blues Port Scanner and Ethereal as "Hacking tools" or other such garbage. Makes diagnosing problems with users PC quite entertaining as I get to box with Virus Scanner on top of everything else.

  • by Anonymous Coward on Tuesday March 10, 2009 @09:50AM (#27133779)

    Let's begin the conspiracy theories:

    • Unlikely: They accidentally included a virus in an update. Maybe a virus that got out of control in their labs. Maybe a virus that some 1337z h4x0rz snuck into their system. But as I said, unlikely.
    • Unlikelier still: This program is a legitimate part of their product, but by mistake they included its signature in their database, or a signature of something else that has a hash collision with this program's hash.
    • Extremely unlikely: This is a top secret government program used to figure out who is NOT a national security threat, in order to expend trillions in government resources in doing all sorts of clandestine operations to collect terabytes of data on each of those individuals (again, the ones who have been determined as NON-threats). The ones who have been determined as threats will be placed into an "ignore" database, as collecting any information on those individuals might offend them and is therefore undesirable.
  • by CopaceticOpus (965603) on Tuesday March 10, 2009 @09:51AM (#27133789)

    Ping Internet For Time on Slashdot?

  • by Anonymous Coward on Tuesday March 10, 2009 @09:51AM (#27133795)
    Don't worry about it. It's just the Privacy Invader From Team Symantec.
  • lulz (Score:4, Interesting)

    by kunwon1 (795332) * <dave.j.moore@gmail.com> on Tuesday March 10, 2009 @09:54AM (#27133833) Homepage
    I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.
  • by ukyoCE (106879) on Tuesday March 10, 2009 @09:55AM (#27133861) Journal

    Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.

    The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.

    Perhaps Norton thought they could send out a patch to clean it up before anyone found out?

  • by oztiks (921504) on Tuesday March 10, 2009 @09:55AM (#27133863)

    P = Purposely
    I = Introduced
    F = File
    T = Thieving
    S = System

  • They used to get it. (Score:5, Informative)

    by rashanon (910380) on Tuesday March 10, 2009 @10:04AM (#27133979)
    A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
  • by AftanGustur (7715) on Tuesday March 10, 2009 @10:05AM (#27133993) Homepage
    Two top Google results are to sites which will try to infect your PC with malware.

    The first one links to a blank page which will redirect in about 20 seconds to a malware site.

    The second one is immediately flagged by Firefox as being a "Reported attack site".

    This slashdot article is possibly a attack on the /. community.

  • Good riddance Norton (Score:5, Interesting)

    by Toreo asesino (951231) on Tuesday March 10, 2009 @10:06AM (#27134013) Journal

    Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)

    Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.

    Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
    Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.

    My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.

  • by odeean (1496183) on Tuesday March 10, 2009 @10:09AM (#27134055)
    I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
    • by Gazzonyx (982402) on Tuesday March 10, 2009 @11:21AM (#27135099)
      Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?
  • by Anonymous Coward on Tuesday March 10, 2009 @10:10AM (#27134065)

    Tried to register at their forums with login 'pifts and got this:

    "That login contains invalid content. Please choose a different login that does not contain 'pifts'."

    Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...

  • by Ice Tiger (10883) on Tuesday March 10, 2009 @10:11AM (#27134075)

    PIFTS is the sound of their market share with the excellent way they are treating their customers.

    I know I would be removing this from my machines.

  • PIFTS.asm download (Score:4, Informative)

    by MortenMW (968289) on Tuesday March 10, 2009 @10:25AM (#27134303)
    PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm [mytting-ikt.no]
  • Strings in PIFTS.exe (Score:5, Interesting)

    by Elphin (7066) on Tuesday March 10, 2009 @10:26AM (#27134315) Homepage

    Here's a dump of strings found in the pifts.exe on pastebin:

    http://pastebin.com/m1e207a78

    Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?

    • by vadim_t (324782) on Tuesday March 10, 2009 @10:58AM (#27134763) Homepage

      Some interesting things in there:

      Software\Symantec\InstalledApps
      \PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}
      Norton Internet Security
      SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
      SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine

      This seems to point to that at the very least it's not some random virus that managed to sneak into the installer, it's either an actual Norton program that does something fishy Norton doesn't want to admit, or a Norton program that got infected with something. I wonder what's in those registry key.

      http://stats.norton.com/n/p?module=2667

      Interesting, it reports stats to Norton somewhere, perhaps?

      &product=%s&version=%s
      &e=%d.%d.%d.%d
      &e=-1
      &f=%d.%d.%d.%d
      &f=-1
      &g=%d
      &g=-1
      &h=%d
      &h=-1
      &i=1
      &i=0
      &j=%s

      This seems to pretty clearly point to that an URL for a GET request is created for some purpose.

      PifEng.dll

      So there's a .DLL too, did anybody post that one?

      %s %d-%d-%d %dh%dm%ds.log

      There may be a .log file somewhere, named with a timestamp

      The ping url is %s

      Something that might appear in the log file, perhaps? What is it pinging, and why?

      d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb

      Looks like a path from the development computer that accidentally got into the binary. Names unfortunately don't seem to explain anything though.

      • by vadim_t (324782) on Tuesday March 10, 2009 @11:20AM (#27135083) Homepage

        Replying to myself,

        On reddit [reddit.com] there's a link to a decompiled version [mediafire.com].

        It seems to do pretty much what I guessed. However, there are various function calls scattered through the code, like "sub_4022C0();", which aren't in the decompiled code, and probably come from a DLL.

        So it looks like the .exe itself is just WinMain that calls the functions that do the real work, reports stats and does some logging. Whatever it actually does seems to be elsewhere.

    • by Excors (807434) on Tuesday March 10, 2009 @11:23AM (#27135135)
      The PADDINGXXPADDING is just a standard artifact of the Visual C++ build process - there's a manifest XML string that's added to the .exe (for 'side-by-side' DLL dependency handling), and padding is added for some internal alignment requirements. (This article [codeproject.com] says the UpdateResource API is what adds that string). So it's nothing unusual or suspicious.
  • An effort underway (Score:5, Interesting)

    by Zexarious (691024) <svarog@gmail.com> on Tuesday March 10, 2009 @10:26AM (#27134317)
    There is an effort underway here http://chrysler5thavenue.blogspot.com/ [blogspot.com] to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k [mediafire.com] (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
  • PIFTS (Score:5, Funny)

    by meist3r (1061628) on Tuesday March 10, 2009 @10:31AM (#27134383)
    Perfectly Innocent Firewall Testing System
  • ThreatExpert report (Score:4, Informative)

    by FreelanceWizard (889712) on Tuesday March 10, 2009 @11:04AM (#27134865) Homepage

    I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810 [threatexpert.com]

    It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.

  • by Manip (656104) on Tuesday March 10, 2009 @11:07AM (#27134921)

    I have a copy of PIFTS.exe now and am examining it.

    Notes:
    1) It is small
    2) Internally it is a "patch tool" from patch "021809db"
    3) The Operating System function calls it makes are generally non-threatening
    4) It accesses the registry (Norton products) and does some kind of date based validation

    My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.

    It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.

    • Re: (Score:3, Informative)

      by ukyoCE (106879)

      Mod this up. For all the hysterics, this sounds accurate from reading the Strings dump. The only real news story here may be Norton's inappropriate forum reaction.

      If this is indeed a "legitimate" patch tool, why not post that info on the forum, sticky it at the top, and refer to it when locking (instead of deleting) subsequent re-posts?

  • by s0litaire (1205168) * on Tuesday March 10, 2009 @11:12AM (#27134969)
    Just waiting for Norton to pop up and say.... "Dear Honorable Sir or madam I am writing to you from Norton Nigerias headquarters. Please advise you have been awarded Nortons prize fund of one million thousand dollers please enter your account details below to receive funds in due course."
  • by coldsalmon (946941) on Tuesday March 10, 2009 @11:37AM (#27135375)

    Symantec Caught in Norton Rootkit Flap

    "Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."

    http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/ [eweek.com]

  • by vadim_t (324782) on Tuesday March 10, 2009 @12:51PM (#27136671) Homepage

    When you use proprietary software, you don't really know what's happening on your system.

    If somebody happened to notice a suspicious process on a Linux box, it'd have been the question of 15 minutes to figure out what package the file belongs to, get the source, take a look at it, and find out what it does and why is it there.

    Instead what we have here a mess with some people coming up with conspiracy theories, Norton refusing to acknowledge the issue, and people trying to figure out what this thing does by looking at the output of strings without much success so far.

    Things are much easier when source is available.

  • by Crash Culligan (227354) on Tuesday March 10, 2009 @12:55PM (#27136723) Journal

    When I first saw this here, the first place I looked for additional information was the Internet Storm Center [sans.org], where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.

    Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:

    In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...

    While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.

    Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.

This place just isn't big enough for all of us. We've got to find a way off this planet.

Working...