Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - conspiracy fodder: pifts.exe InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

conspiracy fodder: pifts.exe

Published: 2009-03-10
Last Updated: 2009-03-10 21:42:42 UTC
by Swa Frantzen (Version: 4)
7 comment(s)

Several readers wrote in with samples of a file PIFTS.exe that seems to be related to a Norton update and gets flagged for its behavior.

The file has been confirmed to call home to stats.norton.com .

The truly bizarre are the mentions that the support forums of norton wipe questions about pifts.exe:

  • See this google search for "site:community.norton.com pifts.exe":

    google results

  • none of them are cached, but they clearly have been indexed and they have been deleted:
  • pifts deleted text at the norton forum

This is of course exactly what any conspiracy theorist needs to lower trust in the products.

We're trying to reach our contacts at Symantec for an explanation, and will update if and when we get a response.

UPDATE:

I just had a phone call from a Symantec employee confirming the program is theirs, part of the update process and not intended to do harm, more to follow, stay tuned.

WARNING:

We've been sent an example of a web page targeting the term "PIFTS.exe" along with other popular search terms that lead to obfuscated javascript that leads in turn to actual malware.

Take care if you search for this: you might find the bad guys out there taking advantage of our interest in PIFTS.exe already.

At the time of writing the page we were notified about was not (anymore?) indexed in google, but YMMV.

UPDATE:

From interactions with Symantec staff and the public post, it's safe to conclude the intention of PITFS.exe was to gauge impact on upgrading old versions of the software (even dating as far back as 2006 and 2007).

Of course there are lessons one can learn from it, even if you were unaffected, you can learn form it. But also ask if you'd do better yourself when you are faced with it. Responding to such incidents isn't easy. In hindsight it's easy, on the spot it is much harder.

I'd like to thank the Symatec contacts who did respond to my inquiries in a time of crisis for them. So thanks!

--
Swa Frantzen -- Section 66

7 comment(s)
Diary Archives