conspiracy fodder: pifts.exe

Published: 2009-03-10. Last Updated: 2009-03-10 21:42:42 UTC
by Swa Frantzen (Version: 4)
7 comment(s)

Several readers wrote in with samples of a file PIFTS.exe that seems to be related to a Norton update and gets flagged for its behavior.

The file has been confirmed to call home to stats.norton.com .

The truly bizarre are the mentions that the support forums of norton wipe questions about pifts.exe:

  • See this google search for "site:community.norton.com pifts.exe":

    google results

  • none of them are cached, but they clearly have been indexed and they have been deleted:
  • pifts deleted text at the norton forum

This is of course exactly what any conspiracy theorist needs to lower trust in the products.

We're trying to reach our contacts at Symantec for an explanation, and will update if and when we get a response.

UPDATE:

I just had a phone call from a Symantec employee confirming the program is theirs, part of the update process and not intended to do harm, more to follow, stay tuned.

WARNING:

We've been sent an example of a web page targeting the term "PIFTS.exe" along with other popular search terms that lead to obfuscated javascript that leads in turn to actual malware.

Take care if you search for this: you might find the bad guys out there taking advantage of our interest in PIFTS.exe already.

At the time of writing the page we were notified about was not (anymore?) indexed in google, but YMMV.

UPDATE:

From interactions with Symantec staff and the public post, it's safe to conclude the intention of PITFS.exe was to gauge impact on upgrading old versions of the software (even dating as far back as 2006 and 2007).

Of course there are lessons one can learn from it, even if you were unaffected, you can learn form it. But also ask if you'd do better yourself when you are faced with it. Responding to such incidents isn't easy. In hindsight it's easy, on the spot it is much harder.

I'd like to thank the Symatec contacts who did respond to my inquiries in a time of crisis for them. So thanks!

--
Swa Frantzen -- Section 66

7 comment(s)

Comments

There's much more to delete at:
http://community.norton.com/norton/board?board.id=nis_feedback
It's kind of depressing reading some of the forum posts popping up about this. In summary, there is snooping and profiling going on, IP addresses in Africa are being used and posts are being deleted and blah blah blah... Mass hysteria is well under way by the look of it.

That said, and this being the internet, I'm feeling a little left out that I don't really care about this - so can anyone advise on the best way to jump aboard this bandwagon please ? Should I be the first to threaten a class-action lawsuit, or perhaps I should make empty threats about de-installing Norton from every PC in the multi-national corporation I work for ? I'm confused, any advice welcome thanks.
VirusTotal shows no one detecting it and ThreatExpert shows it calling home.
http://www.virustotal.com/analisis/734465e30a6ee6d6c493471d77940f4c
http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
Why the secrecy Symantec?
Seems discussion moved over to ZoneAlarm forum.

http://forums.zonealarm.org/zonelabs/board/message?message.uid=443981#U443981
Hello everyone,

I’m one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn’t happen again.

We launched the beta of the Norton Community Forums in April 2008. We’ve been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We’ve spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We’ve also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or “cover up”).

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we’re sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com
Sorry for the lack of line breaks.

Diary Archives