Conspiracy theories fly around Norton forum 'Pifts' purge
Conspiracy theories are running rampant in the absence of a clear explanation of why Symantec deleted threads expressing concern about a file called pifts.exe from its Norton support forums.
Many users running Norton Internet Protection began seeing a popup warning on Monday that a file called PIFTS.exe on their systems was trying to access the internet. The location of the file was given as a non-existent folder buried inside the Symantec LiveUpdate folder.
<a href="https://ad.uk.doubleclick.net/jump/reg.security.4159/front;tile=2;pos=top;dcove=d;sz=336x280;ord=-@uyqtRk6j0AACu-W0oAAAEQ?" target="_blank"><img src="https://ad.uk.doubleclick.net/ad/reg.security.4159/front;tile=2;pos=top;dcove=d;sz=336x280;ord=-@uyqtRk6j0AACu-W0oAAAEQ?" alt=""></a>
The appearance of a file in a non-existent folder suggests rootkit-like behaviour. PIFTS.exe attempts to contact a server in Africa, which has been traced to Symantec.
Concerned punters started posting on Norton's support forums, asking what was going on. That's all normal enough, but then discussions on the subject were deleted without explanation from Norton's community pages. Follow-up threads mentioning the issue were deleted even more quickly.
Symantec creates havoc with unsigned Norton patch
Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.
The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed "PFST.exe," (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.
Because it was unsigned--a result of human error--firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn't know whether to trust it and many of them went to the Norton user forum for answers.
The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.
"At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread," he said. "Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this."
The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.
"There is no conspiracy theory. There's nothing we are hiding at all," Kyle added.
Meanwhile, Kyle said he isn't sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.
Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for "pifts.exe."
Digg in:
https://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html
https://www.abovetopsecret.com/forum/thread444230/pg1
https://blogs.howstuffworks.com/2009/03/10/what-is-piftsexe/
https://www.theregister.co.uk/2009/03/10/norton_pifts_mystery/
https://news.cnet.com/8301-1009_3-10192899-83.html?part=rss&subj=news&tag=2547-1_3-0-20
https://isc.sans.org/diary.html?storyid=5992
https://it.slashdot.org/article.pl?sid=09/03/10/139229
https://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/
https://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html
https://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
https://www.virustotal.com/analisis/734465e30a6ee6d6c493471d77940f4c
https://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
https://www.mediafire.com/download.php?iotyqjbrmry - pifts.exe asm code from IDA and C-like decompiled pseudocode from HexRays Decompiler
The disassembly of the binary doesn't look out of the ordinary and after a quick look at the PIFTS.c decompiled code in the above archive it seems that symantec is telling nothing but the truth.
Snips:
$cat PIFTS.c | grep -i RegOpenKey // LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); idb v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey); if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) && (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey)
$cat PIFTS.c | grep -i http extern wchar_t aHttpStats_nort[40]; // weak sub_402210((int)L"https://stats.norton.com/n/p?module=2667", (int)&lpszUrl);
$cat PIFTS.c | grep -i symantec v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey); if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) && (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"Software\\Symantec\\InstalledApps", 0, 1u, &hKey) L"SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PifEngine", L"SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\HbEngine", L"SOFTWARE\\Symantec\\PIF\\{96E26A03-A25A-400b-B9B4-564C9BD00F46}",
For me it doesn't sound like much of a conspiracy or an uber slick big brother spyware because Symantec's explanation of pifts.exe is somewhat reasonable although the method they used to get the stats is questionable and unprofessional(don't they have test systems, labs or networks? why push stuff that should be tested in the "development labs" to clients? clients are not a testing platform) and Symantec removing forum posts when they look like this doesn't bother me either. People who started this fire are ones who don't have the skills to reverse engineer an executable because if they did they would know that there isn't really nothing interesting in pifts code. Another reason for this might be this one too:
Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.
Although it is hard to believe that this was a planned scam because you really have to be a con mastermind in order to think(of it previously and wait for the right moment), spot the apropriate moment(symantec's pifts.exe unsigned and questionable push update), prepare(create bogus trap websites/page related to the subject and embedd exploit+malware code) and fire the scam(make people believe your conspiracy theory-the symantec forums, the stories, blog posts) then watch your botnet(s) grow. As it is written above it is more probably that bad guys saw the opportunity after the hype has been created and started to take advantage of it.