Symantec creates havoc with unsigned Norton patch – PIFTS.EXE

On March 11, 2009, In Hacking and Pentesting, By Shinnok

Conspiracy theories fly around Norton forum ‘Pifts’ purge

Conspiracy theories are running rampant in the absence of a clear explanation of why Symantec deleted threads expressing concern about a file called pifts.exe from its Norton support forums.

Many users running Norton Internet Protection began seeing a popup warning on Monday that a file called PIFTS.exe on their systems was trying to access the internet. The location of the file was given as a non-existent folder buried inside the Symantec LiveUpdate folder.

The appearance of a file in a non-existent folder suggests rootkit-like behaviour. PIFTS.exe attempts to contact a server in Africa, which has been traced to Symantec.

Concerned punters started posting on Norton’s support forums, asking what was going on. That’s all normal enough, but then discussions on the subject were deleted without explanation from Norton’s community pages. Follow-up threads mentioning the issue were deleted even more quickly.

source

Symantec creates havoc with unsigned Norton patch

Symantec released a diagnostic patch for some of its older Norton products on Monday night that did not identify its origin and thus triggered alerts on user firewalls, the company said Tuesday.

The patch for 2006 and 2007 versions of Norton Internet Security and Norton Antivirus, a program dubbed “PFST.exe,” (Product Information Framework Trouble Shooter) was distributed to collect anonymous statistics on matters such as how many computers are using the products and what operating system they are running, Jeff Kyle, group product manager for Symantec consumer products, said Tuesday.

Because it was unsigned–a result of human error–firewalls started prompting users with messages asking them if they trust the patch, Kyle said. Of course, because the patch had no signature indicating it was from Symantec, users didn’t know whether to trust it and many of them went to the Norton user forum for answers.

The company pulled the patch after three hours and then unwittingly laid the groundwork for conspiracy theorists after it started deleting forum posts related to the matter. The company was not censoring the posts, but fighting off a spam attack, according to Kyle.

“At the same time we were pulling down the patch a spammer created a new account on our forum and minutes after that there were 200 new users all targeting the same thread,” he said. “Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this.”

The posts were written with poor grammar and broken English and some were vulgar and nonsensical. It is possible, though, that Symantec could have inadvertently deleted some legitimate posts while it was purging the spam, Kyle said.

“There is no conspiracy theory. There’s nothing we are hiding at all,” Kyle added.

Meanwhile, Kyle said he isn’t sure whether or when Symantec will redistribute the patch, but if they do, he said, it will be signed.

Symantec has more information on its message board site. The Washington Post reported that hackers were exploiting the situation and had managed to get malicious Web sites into top Google search results for “pifts.exe.”

source

Digg in:

https://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html

https://www.abovetopsecret.com/forum/thread444230/pg1

https://blogs.howstuffworks.com/2009/03/10/what-is-piftsexe/

https://www.theregister.co.uk/2009/03/10/norton_pifts_mystery/

https://news.cnet.com/8301-1009_3-10192899-83.html?part=rss&subj=news&tag=2547-1_3-0-20

https://isc.sans.org/diary.html?storyid=5992

https://it.slashdot.org/article.pl?sid=09/03/10/139229

https://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/

https://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html

https://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

https://www.virustotal.com/analisis/734465e30a6ee6d6c493471d77940f4c

https://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810

https://www.mediafire.com/download.php?iotyqjbrmry – pifts.exe asm code from IDA and C-like decompiled pseudocode from HexRays Decompiler

The disassembly of the binary doesn’t look out of the ordinary and after a quick look at the PIFTS.c decompiled code in the above archive it seems that symantec is telling nothing but the truth.

Snips:

$cat PIFTS.c | grep -i RegOpenKey
// LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult); idb
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)

$cat PIFTS.c | grep -i http
extern wchar_t aHttpStats_nort[40]; // weak
sub_402210((int)L”https://stats.norton.com/n/p?module=2667″, (int)&lpszUrl);

$cat PIFTS.c | grep -i symantec
v1 = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey);
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
&& (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
if ( RegOpenKeyExW(HKEY_LOCAL_MACHINE, L”Software\\Symantec\\InstalledApps”, 0, 1u, &hKey)
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PifEngine”,
L”SOFTWARE\\Symantec\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\HbEngine”,
L”SOFTWARE\\Symantec\\PIF\\{96E26A03-A25A-400b-B9B4-564C9BD00F46}”,

For me it doesn’t sound like much of a conspiracy or an uber slick big brother spyware because Symantec’s explanation of pifts.exe is somewhat reasonable although the method they used to get the stats is questionable and unprofessional(don’t they have test systems, labs or networks? why push stuff that should be tested in the “development labs” to clients? clients are not a testing platform) and Symantec removing forum posts when they look like this doesn’t bother me either. People who started this fire are ones who don’t have the skills to reverse engineer an executable because if they did they would know that there isn’t really nothing interesting in pifts code. Another reason for this might be this one too:

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. “Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them.” When searching for information on “pifts.exe,” Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.

Although it is hard to believe that this was a planned scam because you really have to be a con mastermind in order to think(of it previously and wait for the right moment), spot the apropriate moment(symantec’s pifts.exe unsigned and questionable push update), prepare(create bogus trap websites/page related to the subject and embedd exploit+malware code) and fire the scam(make people believe your conspiracy theory-the symantec forums, the stories, blog posts) then watch your botnet(s) grow. As it is written above it is more probably that bad guys saw the opportunity after the hype has been created and started to take advantage of it.

Tagged with:
 
0 Comments
Leave A Response

BackTrack 4 beta released

On February 11, 2009, In Hacking and Pentesting, By Shinnok

bt4_logo

https://remote-exploit.org/backtrack_download.html ^^

You can read more about the release here.

( have mercy on the webserver 😆 )

Tagged with:
 
0 Comments
Leave A Response

In response to “Use Linux and you’re malware free”

On February 2, 2009, In Hacking and Pentesting, Linux, By Shinnok

I’ve received the following comments on two of my posts and they look like this:

Charles Norrie said…
7:25 pm – February 1st, 2009

But it exploits vulnerabilities in Windows systems, so if you install a Linux system like Ubuntu Intrepid Ibex you won’t suffer malware problems again!

On Downadup/Conficker botnet estimated at 8.9 million according to f-secure

Charles Norrie said…
2:19 pm – February 1st, 2009Ubuntu is quite wonderful. Please reply to all news articles mentioning the Conficker virus saying that if users installed Ubuntu, they’d never have to patch their computers again.

Get the message out. We all benefit by persuading people to move to Linux!

On Backtrack 4 will be a full blown distribution

Now i originally wanted to reply with another comment but since the comment ended up a little bigger than i intended and because it expresses a lot of my views on this issue  i made a post out of it, so here it goes:

I have to disagree with you, because persuading people into using Linux just because it is a less prone to malware platform then Windows, is not the solution for the current security issues that exist nowadays. Malware does exist for Linux but it is not that abundant as for security bugs if we take only Windows in discussion and no other third party application then i really can’t say which one is more buggy, a Linux distro or Windows?Because i’ve seen all sorts of bugs in all kinds of places in both operating systems. And i say a Linux distro because it’s not fair to compare Windows with just the Linux kernel, because Linux is only the kernel after all, a Linux distro is what you can call an OS. Plus that the Linux kernel had and it currently has lots of bugs all over the places and new ones are discovered all the time.  Moreover if we make a comparison of security bugs that were discovered both in only the Linux kernel and the Windows kernel i can assure you that the Linux kernel had way more flaws then the Windows kernel afaik. To sum it up let’s say that a vast amount of the masses start shifting over night to Linux, just as you want, and then Linux becomes the leader in the OS market share, what happens then?All of the guys writing malware will shift their attention to Linux and then you will see the same flow and abundance of malware for Linux. Because it’s the same security unaware target audience, the same buggy code, the same people writing new code with the same security flaws, the same security mistakes made in software logic and design, etc…

Linux for the moment, in my opinion, has these advantages when it comes to being a primary target for malware:

  1. low desktop market share
  2. vast amount of distributions
  3. a big percentage of Linux users are tech savvy

Now let’s dissect those 3 advantages:

1.The market share that Windows currently has means only one thing: Way more people are working, banking, e-mailing, chatting and doing stuff on Windows thus a bigger profit is to be gained from targeting Windows users…it’s all business. And if it’s not business than it’s fun and let me tell you that it’s not fun to spend one week writing a piece of malware for Linux that works on at least 5 most used distros. What is fun, in the script kiddie mentality that flourished out there, is to use a lame .vbs *All in one – Virus Maker* and then share it on file sharing networks and watch people getting pwned. What about binding something like Turkojan on a stupid “Undress me” poker game and sharing it too?!? That is fun nowadays. Oh and if it’s not about fun than it is about 5th grade pride and proving that you are the best l33t haxxor out there. Which only lead to this defacement explosion in the past few years. If you can deface a website than you are a haxor. If you can deface a bunch of websites that your are a leet haxxor. But if you can deface Microsoft’s website while defacing 50 others in the other 50 browser tabs you have opened then you really are the most l333tzoor h@xx out there. Well let me tell you one thing, people who deface in those reasons are just plain stupid. They don’t realise or know how many things can be done with a boxen after pwning it(especially a high profile target :roll:) with a lame public for months exploit ,so they just resume at replacing index.html/.php/.asp with their own “I am teh skillzor and admin sucks! L33t Haxor skeelz pwned your boxen. Secure you website. Gritz to acid_piss, no_life and toilet_face!!!” .html defacement page.

2.The vast amount of Linux distributions out there make it hard to write a portable piece of malware that *works on linux* and that’s about it. Different kernel versions and modules, different library and program versions and choices, design and architectural differences all contribute with a certain level of skill required to write a good portable malware piece.

3.You probably guessed yourself, a big % of Linux users being tech savvy makes it not so easy to target them.

In conclusion “Use Linux and you’re malware and pwn free” is not the solution nor entirely true. I hate it when people push this kind of things to the public and it’s the same with the recently flowing bullshit that “Linux just works now!” or “Ubunt jost works!”. Bullshit. It doesn’t, unless you are a hacker(in the good sense) and like to get down with stuff. For the average human beeing that doesn’t know or want to know about computers or how they work  and they just want things like chatting and browsing and file sharing then Linux might actually stay in their way and make them unhappy and uncomfortable and thinking they’re stupid. If we take Ubuntu’s case then “Ubuntu is just working” is only bandwagon fantasia bullshit and not even Mark Shuttleworth has the courage to say that relating to the desktop market. So just leave it at that…Linux is Linux and Windows is Windows each one with it’s ups and downs. 🙂

Tagged with:
 
3 Comments
Leave A Response

Backtrack 4 will be a full blown distribution

On January 31, 2009, In Hacking and Pentesting, Linux, By Shinnok

bt4_logo

Yes that’s right, a full blown Linux distribution. It will be based on debian base packages with ubuntu repositories integration. I am pretty glad about this because it will make Backtrack much more comfortable to use as an installed Linux distribution on hdd. What exactly do i mean by comfortable:

  • up-to-date kernel
  • package updates
  • security updates
  • easy installation of new packages/applications

All of this summarizes in just two words package-management which is very important for a day to day usage of an installed on disk Linux distribution and keeps you mentally and physically in great form. 😈

You can read more about this transition to a full blown distribution here and here and yes it’s “official” because it comes from muts.

Finally for your enjoyment a collection of Backtrack4 wallpapers from the remote-exploit forum:

Tagged with:
 
3 Comments
Leave A Response

Kevin Mitnick’s hacking telnet session transcripts

On January 27, 2009, In Hacking and Pentesting, Pwnage, By Shinnok
lamo-mitnick-poulsen

Adrian Lamo, Kevin Mitnick, Kevin Poulsen

In case you have been living on the moon:

Kevin David Mitnick (born August 6, 1963) is a computer security consultant and author, who was incarcerated for more than four years without trial or a bail hearing.

He was a world-famous controversial computer hacker in the late 20th century, who was at the time of his arrest, the most wanted computer criminal in United States history. more…

Ever wanted to see Kevin in action?

See him as he types?

See him as he hacks/cracks?

Then you have clicked to the right place.

Some of the network data gathered(sniffed or logged) for prosecution before Kevin’s apprehension by telco’s and other parties involved in the investigation with the help of Tsutomu Shimomura, has been released to the public a long time ago. Shimomura used a custom version of tcpdump in his sniffing sessions on Mitnick and eventually he made a program to convert the gathered data into an interactive application that matches exactly what Mitnick was seeing and doing during his telnet sessions(it sounds more complicated than it is, a little understanding of the telnet protocol, which dominated the internet back then, and the fact that a tcpdump session on a host between mitnick and he’s other peers contains all the needed information to recreate with precise accuracy exactly what happened,when and how it looked).

They have been hosted at the evidence section on a site called Takedown(like the book by Shimomura&John Markoff and the movie) along with the prank calls made to Shimomura’s voicemail and other related stuff.

If you’re not familiar with Kevin’s story and a little bit of unix/linux i don’t think you will be making much sense out of the transcripts,except for the chatting sessions. Although this looks like a great motivation to start learning/using linux/unix just because you wanted to understand what is the stuff Kevin types while he hacks. 😈

If you want to know more about Kevin’s story just press the magic button or roll your eyes over news/articles on takedown.

For the Mitnick familiar and hackers out there i present Tsutomu’s January 25 Post to Usenet which explains with some level of detail the IP source address spoofing and TCP sequence number prediction attacks that were used by Kevin to pwn Shimomura’s diskless X terminal and from there using a loadable kernel STREAMS module an existent connection to Shimomura’s real box was hijacked thus leading to the pwnage of Tsutomu’s goodies treasurechest.It was interesting the way Tsutomu wanted to make sure the world understands how his box got owned. 😳

You will be needing telnet to view the sessions. For each session you will have to telnet on a different port on the same machine as each transcript is served through a different port.

➡  The site
➡  Telnet transcripts
➡  Voicemail pranks to Shimomura

kevin_mitnick

They always use the ugliest picture possible,so that he looks like a pedofile and everyone is happy.

I am eager to see Kevin haaack, i want to see some stuff right now! Gimme teh box and it’s hole!

Well select one from bellow based on the summary of the transcript, then open a shell and type/paste the corresponding telnet command:

This is the chat session in which Kevin asks his friend jsz at Ben-Gurion University in Israel for tools. He asks over and over again until he gets satisfaction. Since we are seeing what Kevin saw, in the talk session the top half of the window (above the dashed line) is what he was saying; the bottom is what jsz was saying.  —>

telnet kevin-on-demand.takedown.com 4009

Nobody speaks better for Kevin Mitnick than Kevin himself. Here we learn that we are indeed dealing with Mitnick, as well as good many other   things.   Do these sound like nice people to you?Discussion of Tsutomu, Markoff, Dan Farmer, a “picture on the front page of the New York Times.” —>

telnet kevin-on-demand.takedown.com 4010

Kevin breaks into Dan Farmer’s machine(creator of SATAN security scanner), fish.com, and peruses his files and mail looking for information about himself, Tsutomu, security holes, and the FBI. Breaks into Sun, confirming that the “access1” in the talk session that afternoon really did refer to access1.sun.com. Kevin also has a fascination with looking through the command histories of system administrators, presumbaly to see if they are on to him. —>

telnet kevin-on-demand.takedown.com 4013

This is the first session where a possible reference to “Mitnick” was seen. —>

telnet kevin-on-demand.takedown.com 4008

Many more here.

Dude??!? What’s a shell?!?! 🙄

This will do just fine for you:

Tagged with:
 
2 Comments
Leave A Response

Megaupload auto-fill captcha for Greasemonkey

On January 24, 2009, In Hacking and Pentesting, By Shinnok

Hmm neural networks in  JS…nice!

You can find it here: https://userscripts.org/scripts/show/38736

Tip: You must have Greasemonkey Firefox Addon in order to install the script.After that just visit a megaupload.com download page and the captcha will be filled in automatically and the Download button “pressed”(explanation for noobs).

Get it while it still works 😳

LE: How it works – https://ejohn.org/blog/ocr-and-neural-nets-in-javascript/

Tagged with:
 
0 Comments
Leave A Response
Go To Top »