Symantec Clarifies PIFTS.EXE Fiasco

More a social hack than anything else. How did those accounts get past the captcha codes?

Yeah, it’s pretty sickening how the malware authors jump on the bandwagon of breaking stories like this and turn it into something much more serious.

People *do* need to be extremely careful when searching the internet for information about PIFTS because there are malicious websites out there, designed to infect your with rogue anti-virus software (also known as scareware or Fake AV) that will try and fool you into thinking you are infected.

Their plan? To get you to pay up hard cash for a “cure”.

You can learn more about this in a posting i made on my blog (including some screenshots of some of the dangerous links we have found):
http://www.sophos.com/blogs/gc/g/2009/03/10/malware-authors-jump-piftsexe-bandwagon/

Cheers
Graham Cluley, senior technology consultant, Sophos

I witnessed the snowballing communication about pifts.exe via a number of forums, and the main thrust was the inital removal of genuine enquiries about the pifts.exe application. This was suspicious, and unusual. However because Symantec deleted them, it encouraged others to sign up and test whether they did get deleted, and they did. So Symantec actually started deleting the posts way before there was “the spamming”. It was a result of the deletion of genuine posts that led to the inundation of messages.

At the same time http://www.digg.com went down - with users suspecting this was in an effort to stem communication about the pifts.exe phenomenon. It was shortly (10-15 mins possibly) restored.

As well as this, Google.com trends unusually showed very little impact of the literally thousands of searches for pifts.exe…

All in all a PR disaster by Symantec, and a very dubious response from them. I still think there is more to this than meets the eye.

Just check out the discussion thread for the lowdown:

http://community.norton.com/norton/board/message?b …

Symantec is outright lying about the series of events. The deletions came first which provoked the spam. The spam was backlash from deleting any and all discussion pertaining to PIFTS. They would not allow the term to be used on the board at all, so it brought forth a spam attack to get the word out about the censorship campaign since they couldn’t delete the threads fast enough and keep people quiet.

What’s really important is why PIFTS is mining search/temp file/IE data and sending it back home, which they have yet to acknowledge and is a hell of a sight more than they claim it does.

Thanks for the comments everyone and for sharing the links.

Norton is lying. People have asked about PIFTS for months and they’ve always banned everyone who asked. Only after 4chan got involved did this get attention.

PIFTS is a rootkit they use to spy on your computer and give to google, the US government, and some server in Africa.

Yep.

I was in the raid.

PROTIP: It wasn’t just 1 person you Symantec idiots.

Hello everyone,

I’m one of the administrators for the Norton Community Forums. First off, I would like to apologize for the removal of legitimate posts, and delayed response in acknowledging the PIFTS.exe issue. While the reason for merging like-posts in to a single thread was not intended to silence the voices of the users, we do understand that it ended up causing a lot of suspicions about the topic. We are sorry for the confusion that we have caused, and have developed new strategies to ensure this doesn’t happen again.

We launched the beta of the Norton Community Forums in April 2008. We’ve been very transparent with many issues that have come up on the boards, and utilized this opportunity to have more open discussions with those who use our software. We have also been very lenient with posts. There are threads on the forums that are critical of our products and discuss non-Symantec scanning software recommended by other users, as well as other non-relevant 3rd party software. I’m not saying this to get a pat on the back, but to acknowledge that we encourage open and honest communication on our forums. We strive to be transparent and give our customers the best information as quickly as possible.

We’ve spent the past 2 days compiling all the information regarding PIFTS.exe and detailing what it does. We’ve also included information regarding the timeline of events that happened on the forums. To view this information, please visit this forum thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

We also have a discussion thread for all things PIFTS.exe related at the following thread: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

Please read through the above two threads if you have any questions, as many questions have already been addressed (such as rumors that we sent personal information to our servers, rumors regarding sending information to Google, and other rumors that we were involved in a conspiracy or “cover up”).

We welcome you to join in on the discussion if you have any concerns that need to be addressed.

Again, we’re sorry for the mishap and all the confusion that this has caused.

Cheers,
Tim Lopez
Norton Forums Administrator
http://community.norton.com

looks like “Anonymous” did it again ;]

PIFTS.exe? THEN WHO WAS PHONE?

Pifts.exe was an example of how symantec fails at writing its own updates. There was no real compromise of security, it is just another firewall alert that people question. The truth is, that any software firewall will always prompt a user about any new executable that is not mentioned in its rules. This exe was just another example of how users have no idea about whether they should allow/deny, which resulted in some massive spam. This effected me by putting pifts in my chocolate, and frankly, I only want chocalate coated balls. Symantec, please refrain from from putting pifts in my chocolate.