Network News

X My Profile
View More Activity

Users Complain of Mysterious 'PIFTS' Warning

Computer support forums are lighting up with queries from users wondering what to do about an alert on whether to trust a file called "PIFTS.exe". Meanwhile, someone at Symantec's support forum seems to be deleting posts from users inquiring about this alert almost as soon as they go up on the forum.

Swa Frantzen, an incident handler with the SANS Internet Storm Center, writes today that PIFTS.exe appears to be related to a Norton update since it has a has a component in it that leverages the user's Internet connection to contact a Web page at norton.com, which is owned and operated by Symantec.

A Security Fix reader sent this e-mail today about his experience with this alert: "Symantec's response has been odd. It has removed all chat threads on the subject, and seems to be deleting questions about PIFTS.exe wherever they may be posted. In short, it is Symantec's response which has caused greater questions than the problem that it seems to be trying to cover up. I am no expert, and I simply went online to get an explanation. However, it now looks as though thousands of queries at the Norton chat forum were posted today and all have been deleted without comment."

Also, it appears that PIFTS.exe is being submitted quite a bit to VirusTotal.com, a free service that people can use to scan suspicious files against more than three dozen different anti-virus products. ThreatExpert also has a writeup that confirms that this file phones home to Symantec.

I've put in queries to Symantec, and will update this post when I hear back. In the meantime, it's probably safest just to deny this program access to the Internet if prompted by Norton or any other firewall product you use.

Update, 12:46 p.m. ET: The bad guys know that people are interested in this search term, and appear to have latched on to it already. I'd advise readers to be extremely careful about randomly clicking on every link returned in a Web search for "pifts.exe": Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Update, 2:23 p.m. ET: Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.

Update, 5:24 p.m. ET: Symantec's official statement on this is here.

By Brian Krebs  |  March 10, 2009; 9:53 AM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  | Tags: 4chan, PIFTS.exe, conspiracy theory, norton, symantec  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Why Web Site Security Matters to Us All
Next: Adobe, Foxit, Ship PDF Reader Security Updates

Comments

Not to state the obvious, but we need to
TRUST the companies that we rely on to secure ourtechnology. Behavior like this is exactly why I would never use a symantec product. They can tbe trusted.

Posted by: lostinthemiddle | March 10, 2009 10:29 AM | Report abuse

Is the file signed?

Posted by: lseltzer | March 10, 2009 10:38 AM | Report abuse

You cannot trust any program you don't compile by yourself from its source code, and you should also compile the underlying operating system and the BIOS.
And yes, I'm advocating using a full top-bottom open source stack if you care anything about your security and privacy, even though you can't be sure there are no hardware hardware backdoors unless you manufactured all your chips as well.
Some non-US governments are finally realizing this and dropping Windows not just on economic grounds, but for national security's sake.

Posted by: gma1 | March 10, 2009 10:51 AM | Report abuse

Many thanks to Brian for his informative articles.
As a systems administrator for a business with 200 plus computers, this concerns me.
I use Symantec Endpoint as well as Backup Exec, and have always felt comfortable with Symantec Cooperate products.
I posted a question about PIFTS.EXE on the Symantec support site, and within 15 seconds it was deleted, and I was blocked from posting anything else.
This does not leave me very comfortable with Symantec, and I am watching how Symantec handles this issue, as it will affect my decision about renewing my licenses.

Thanks again Brian, keep up the great work.

Posted by: n3ujj | March 10, 2009 11:02 AM | Report abuse

Sounds like a rootkit.

Oh, and gma1. Ever heard of the back door in the C compiler? From the Jargon File article on back doors:


In this scheme, the C compiler contained code that would recognize when the login command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler — so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled login the code to allow Thompson entry — and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

Posted by: wiredog | March 10, 2009 11:05 AM | Report abuse

@gma1 The one gauranteed method of network security involves unplugging every device from the network and the electrical outlet and destroying all devices in a fire. Short of that, there will always be some risk.

Posted by: lostinthemiddle | March 10, 2009 11:10 AM | Report abuse

Gee, I'm glad I dumped them years ago! If you want to be trusted, folks, act trustworthy - and that means don't cut people off for asking questions!

Posted by: baddabing1 | March 10, 2009 12:31 PM | Report abuse

checked the Symantec forums (at http://community.norton.com/norton/) a few minutes ago and the banner at the top reads "Forum Private Messages's are offline for maintenance, Please check back after 12:00 PM PDT. We apologize for any inconvenience."

this gets curiouser and curiouser, the longer and deeper the cover-up (and not a very good one at that) goes on

Posted by: SBWP | March 10, 2009 12:49 PM | Report abuse

@lostinthemiddle, @wiredog:
I said "if you care anything about your security and privacy", not "if you want to be 100% safe".

"There will always be some risk" (hardware backdoors, which I hinted at, being more likely than compiler backdoors) is not a valid argument to passively accept the real and *entirely avoidable* danger of blindly trusting closed-source software vendors.

Posted by: gma1 | March 10, 2009 12:52 PM | Report abuse

That's my post at the top of tech-linkblog.

The second thread was created by someone after the first one was deleted.

No message in the first thread violated the Symantec Forum TOS. No one suspected ill will from Norton until they deleted the first topic.

My post was the first one suggesting that there was a cover-up on the entire interwebs. I created a third, fourth, and fifth, after the second got deleted, although the numbering gets muddled because so many people were. Then I was not able to post anymore; Mysterious ban from posting.

Not more than one was showing up at a time because Norton was deleting them so quickly after that. Then others followed suite, along with /b/, posting until Norton banned them as well.

The /b/ were provoked into the raid when Norton was clearly censoring its users. People who weren't there can abandon their beliefs that it was unprovoked. It happened after the initial deletes and bannings.

Posted by: yourtupperware | March 10, 2009 1:37 PM | Report abuse

Brian,
Symantec could clear ALL of this up INSTANTLY by posting official word on their website. They have not done this, as of 2:45 PM EST.

Posted by: baddabing1 | March 10, 2009 2:57 PM | Report abuse

Brian,Brian,

As always… Keep up the great work.

I have a problem with Mr. Coles reply to the deleted posts issue.

In the beginning the posts were standard requests for information, the postings did not get out of hand UNTIL Symantec started deleting VALID posts, and banned further postings from valid accounts. I am a current PAYING customer of Symantec, I posted a VALID, Calm, technical question.

I’m sure that Symantec will just drop this issue, and forget that it happened, but I think they need to hear from the IT industry that how they handled this was UNACCEPTABLE.

Posted by: n3ujj | March 10, 2009 3:14 PM | Report abuse

If the program was for Norton's internal use, why did a Norton support assistant (online around midnight last night) refer to PIFTS.exe as spyware in a support chat?

Posted by: jt515 | March 10, 2009 3:21 PM | Report abuse

Mr. Krebs, thank you very much for your reporting on this issue, but I, for one, do not consider this "case closed."

To put it simply, Symantec's excuse is garbage. Yes, *some* individuals did spam the Norton forums, but that wasn't until well after Symantec had already deleted THOUSANDS of legitimate posts. There is absolutely no reason Symantec couldn't leave one valid discussion thread open. If Dave Cole is seriously asserting that every single inquiry on the matter was abuse from 4Chan, he's a liar. The whole thing also could have been quelled with a simple statement from Symantec, yet there still isn't anything on their site.

What you're essentially reporting is that the "official" word from Symantec is that they'll install whatever data mining applications they deem necessary on their customers' computers in the interest of research and product development, but those customers are not allowed to inquire how those products work, nor are they allowed the option to refuse installation?

Is this in the EULA? Something stinks!

Posted by: rbininger | March 10, 2009 3:45 PM | Report abuse

Cole's assertions are absolute garbage. The earliest, cached postings to Norton's forums are legitimate, proper inquiries for answers that were summarily censored and hidden. It was not until hours later that the abusive posts began and it's nowhere near a logical assumption that abuse of their forums would just begin like that. It was a furious response from an online culture that watched as its concerns were censored and an attempt was made to hide the truth behind what has truly happened.

I for one am now reluctant to believe anything that any representative of Symantec says. How can they be trusted if they cannot even be relied upon to be forthcoming with the people who purchase their product? The simple answer is that they cannot. They lied and now want everyone to simply believe whatever explanation they can dredge up hours after the fact.

Symantec has betrayed the trust of each and every one of its users and I for one will not give a penny more to a company that does business in this manner. I would encourage others to think long and hard before they choose to become involved with the perpetrators of this farce.

Posted by: dshafa | March 10, 2009 4:11 PM | Report abuse

Do I understand correctly: Symantec pushed out an update which, without informing users, reported on components of the users' computers back to Symantec? That sets off my malware (or at least very-bad-practice) sensors. A company like Symantec, which lives in the computer security industry, ought to know better.

Posted by: fredtheflyingfrogofdoom | March 10, 2009 4:15 PM | Report abuse

Symantec is off base with this one. We started searching their forums as soon as the firewall notification hit us -- of course there were a lot of new user accounts being generated, their CLIENTS wanted to know what was going on!

We saw the posts before they were pulled, and we did not see the spam that was referenced in their statement. We saw only legitimate posts by concerned users.

The biggest concern in all of this is that the patch needed to be authorized through the firewall in order for Live Update to complete. If it was denied access, the updates failed. So paying customers were denied their virus definition updates so that Norton could data mine covertly.

Their response, including deleting valid posts off their forums and waiting for media involvement before communicating with their users, is extremely lacking.

We will be disabling Norton this evening and installing AVG. We do not feel that Symantec can be trusted after their handling of this situation.

Posted by: tmiller2009 | March 10, 2009 5:33 PM | Report abuse

thanks again brian.

when internet users encounter a website with a pop window that offers Yes/No/Close, DO NOT click anywhere on the popup window. in this case, No means Yes and Close means Yes. clicking anywhere on the window executes. DO NOT click anywhere on the window. instead, shut your browser down using the Task Manager.

i personally viewed three posts concerning this executable on the norton website that were later deleted. the three posts were not abusive in any manner and merely inquired about this executable (didn't see any of the posts from 4chan).

Posted by: egalitaire | March 10, 2009 8:53 PM | Report abuse

Egalitaire wrote:

when internet users encounter a website with a pop window that offers Yes/No/Close, DO NOT click anywhere on the popup window. in this case, No means Yes and Close means Yes. clicking anywhere on the window executes. DO NOT click anywhere on the window. instead, shut your browser down using the Task Manager.
--------------------------------------------
Any well known recent examples, since this is not the first time this suggestion has appeared in Comments in this column. Maybe it was you who previously noted this.

Posted by: brucerealtor@gmail.com | March 11, 2009 4:30 AM | Report abuse

"We will be disabling Norton this evening and installing AVG. We do not feel that Symantec can be trusted after their handling of this situation."

AVG's blatantly deceptive approach to toolbar bundling their freeloaders AND paying customers does a poor job of conveying trust.

Posted by: BurntPickle | March 11, 2009 7:27 AM | Report abuse

I find it very interesting that Symantec installed this file, on machines that had EXPIRED subscriptions, some that have been expired for 2 years.

They won't give expired customers updates, but they will load tracking software.

Brian, what are your feelings on this?

Posted by: n3ujj | March 11, 2009 10:44 AM | Report abuse

bruce,

i visited the website brian referenced. this website asked me if i wanted to scan my computer for viruses. i don't remember which site it was and unable to provide other recent examples. malicious websites are identified quickly and taken down.

in order to fool an internet user, a programmer would use the text "CLOSE" or "NO" to execute malicious code in a pop up user box. therefore, legitimate websites do not offer users pop up user boxes.

i consider all pop up User Boxes suspicious and not not pop up browser Windows, at least not yet. sorry if i confused anyone by using "Window" instead of "User Box".


Posted by: egalitaire | March 11, 2009 12:05 PM | Report abuse

Posted by: craigm27 | March 11, 2009 6:58 PM | Report abuse

Good article.

Posted by: seen_you | March 11, 2009 10:46 PM | Report abuse

I was one of those who signed up to find out why PIFTS.exe was trying to access the I-net. Two of my posts were deleted within minutes.

"As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments."

Didn't Norton even consider, just maybe, the hundreds of people signing up and posting messages just might be people like me? I was (note past tense) a paying customer, had a legitimate concern, posted a question seeking help, had my post deleted and now I'm called a "spammer"?

Which business school issued David Cole's degree?

The thing that burns me more than anything is that Norton STILL is not taking full responsibility. They are claiming that "spammers" are to blame for the deleted messages.

The leadership at at Norton has no integrity. Man-up and quit blaming others for your mistakes.

Posted by: JerryYelserp | March 11, 2009 11:20 PM | Report abuse

anonymous is in Symantec's forums, killing thier integrity.

Posted by: cleansetehinternets | March 12, 2009 9:14 PM | Report abuse

this IS about trust.

symantec is already out of the game.

if you DONT already know about "magic lantern" I IMPLORE YOU TO READ ABOUT IT!! IT WILL SHAKE YOUR TRUST IN NOT ONLY SYMANTEC BUT OUR OWN GOVERNMENT!!

http://en.wikipedia.org/wiki/Magic_Lantern_(software)

please read it.

NOW: here is the current situation

1) symantec designs a piece of software that will gather data from customer's computers

according to official information this software "anonymously" gathers computer and version info.

according to ALL sources who have dissected the program, it gathers COOKIE AND BROWSING HISTORY information

and sends it to Swapdrive (owned by symantec)

2) the software is distributed with ABSOLUTELY NO CONSENT OR KNOWLEDGE in a symantec update.

if they had NOT messed up, and had DIGITALLY SIGNED the sofware, no one would even know it had been sent out.

3) the software was NOT digitally signed and so everyone with windows noted it trying to access the internet

4) EVERY SINGLE QUESTION posted on the forums was deleted.

way way way way way before spam was posted, normal posts were being deleted and people were being banned.

YES THEY COVERED IT UP. THEY DELETED NORMAL, NON-SPAM POSTS HOURS BEFORE THE FIRST BIT OF SPAM APPEARED

it is called a "a diagnostic patch" by norton.

I DARE YOU to find an official explanation of WHAT IT ACTUALLY DOES!!!!

you will not find it.

do you still trust symantec, lol?

Posted by: coolnigga420 | March 13, 2009 4:56 AM | Report abuse

coolnigga420,

Put a debugger and a packet sniffer on it yourself and stop with the magical thinking... That's the amazing thing about personal computers, since it's yours, you can use the many thousands of tools out there to go look at what the machine is doing for yourself.

Code talks, BS walks.

Posted by: timscanlon | March 13, 2009 7:48 AM | Report abuse

Wow, Symantec really stepped in it this time. I wonder if the company will come clean about what they were up to, or if they'll continue to obfuscate and hope people will let it go.

Posted by: Heron | March 13, 2009 12:11 PM | Report abuse

Hello everyone,

I’m one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn’t happen again.

We launched the beta of the Norton Community Forums in April 2008. We’ve been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I'm not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We’ve spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We’ve also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or “cover up”).

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we’re sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com

Posted by: tim_lopez | March 13, 2009 12:58 PM | Report abuse

Two years ago, when a Symantec/Norton update product corrupted my Windows XP Pro system files rendering my hard drive unbootable, I gave up on the company and moved to AVG. I read various blogs and forums at the time and found I was not the only one who had a hard drive crash directly linked to this product. I spent a good 18 hours reinstalling the operating system and updating it, reinstalling my applications, and transferring the data from my old hard drive to the new one. Because the product had been bundled on/with my operating system installation disks, I had to remove it - anyone who's tried that knows how insidious these products are - could a certain government agency charged with spying be more conniving? I think not. I, therefore, think Brian is being way way too nice to the company. I look over on the sidebar and see ads for the company's products are here frequently...should objective reporters give sponsors the benefit of the doubt? Maybe. But where there's smoke and flaming posts, there's fire. My advice - remove any and all Symantec products while you still can and go with AVG or one of the other superb freebies out there!

Posted by: chlpatent | March 17, 2009 8:54 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company