SCI: Tech Fears Arise Over Norton and Pifts.exe

The ATS formatting is screwing up the URL

it.slashdot.org...

works.

Originally posted by mrmonsoon
When I clicked on the slashdot link, I get this:

Nothing for you to see here. Please move along

slashdot compromised????????

That link isn't working properly because he failed to do that (As you can see, the date is posted behind the link, but isn't included when you click it)

Click here
Click there to see the actual link.

[edit on 10/3/09 by -0mega-]

reply to post by mrmonsoon


Sorry Mon was having trouble with that link , someone put the correct link in for me later in thread.

Btw these Qwest people very intersting,transactions with Enron which may have helped Enron conceal losses 1999-2001

Online storage is back. Last September, EMC bought online storage startup Mozy for $76 million. Last week, Symantec signed a deal brewing since February to buy SwapDrive. A source close to the company says that Symantec paid $123 million.

www.techcrunch.com...

I wonder why?

Just caught onto this thread and did a thorough search of the primary drives of the three machines on my network that are running NIS2008 and found no trace of this pifts.exe file.

I'm not seeing this referenced anywhere else, so does anyone know if this is a version specific thing?

I have sent an email directly to this staff member asking for some information.

community.norton.com...

I have norton included free with my ip provider but I do not use it although they wont know any better as it has been purchased.

I should get a reply hopefully.



[edit on 10-3-2009 by XXXN3O]

It's so good that we have places like ATS and wherever the original post came from (\x? \y? something like that) because otherwise companies like symantic could just white wash all their scripting problems from the internet, \y is like deepthroat in watergate -because it's anon the original poster could well have been a norton insider or someone in the know. What this code really is we'll probably never know, Norton will cover it up like the last few major security flaws which hit them.

I suspect it's yet another data mining program, sysmantic was set up to deal with a virus which they had created and released in a false flag attack (google it) - now they have a very high level, very secretive internet connected power over a huge swathe of computers -weather they're connected to government agencys or corporate enterprise (such as the british building firms who had a database all union works so they wouldn't accidently employ them) -who has 'undesirable' ebooks or youtube history could be entering a large database to ensure the big money doesn't employ anyone they don't like.

You either use their virus software to give them your data OR their virus's will come and take it! The only answer is to use open source software like Linux and make sure you only install trusted programs.

The one thing what puzzles me so.

Why whould they do this? It will cost them millions of users.
Bad marketing?

Looking up !NET-67-134-208-128-1 at whois.arin.net.
CustName: SwapDrive
Address: 1313 F St., NW
City: Washington
StateProv: DC
PostalCode: 20004
Country: US
RegDate: 2008-01-04
Updated: 2008-01-04
NetRange: 67.134.208.128 - 67.134.208.255
CIDR: 67.134.208.128/25
NetName: QWEST-IAD-SWAPDRIVE4
NetHandle: NET-67-134-208-128-1
Parent: NET-67-128-0-0-1
NetType: Reassigned
Comment:
RegDate: 2008-01-04
Updated: 2008-01-04

www.swapdrive.com...
Registrant:SCHUMANN, ROLAND
20330 Stevens Creek Blvd
Cupertino, CA 95014
US
Administrative Contact :
Wallace, Marc
[email protected]
PO BOX 7241
ARLINGTON, VA 22207-0241
US
Technical Contact :
Schumann, Roland **
[email protected]
1313 F Street, NW #400
Washington, DC 20004
US
NS1.SWAPDRIVE.COM 66.77.181.5
NS2.SWAPDRIVE.COM 66.77.178.12
NS3.SWAPDRIVE.COM 85.133.49.69

Current Registrar: NETWORK SOLUTIONS, LLC.
IP Address: 63.146.183.85 (ARIN & RIPE IP search)
IP Location: US(UNITED STATES)-DISTRICT OF COLUMBIA-WASHINGTON
Record Type: Domain Name
Server Type: IIS 6
Lock Status: clientTransferProhibited
Web Site Status: Active
DMOZ 1 listings
Y! Directory: see listings
Web Site Title: SwapDrive Inc. Your Leader in File Sharing and Backup.
Secure: Yes
E-commerce: Yes
Traffic Ranking: 3
Data as of: 22-Apr-2008


Ok so listen.
You have it registered to Network solutions in Washington DC thats just there data centre with the technical contact in DC.
You have the registrant to a California address.
And you have the ADMINISTRATIVE CONTACT, in Arlington Virginia
Who lives in Arlington VA?

reply to post by XXXN3O


Ok here you have it from the horses mouth guys.

I got a very swift reply and here is the content.

"********, I don’t have much detail about this issue. I believe that Symantec will be making a public announcement about this file in near future. I do believe that it is a legitimate file delivered by live update. Unfortunately, somebody has chosen to about our Norton Community forums regarding this issue and the remediation for this abuse is having some unintended collateral damage.



I wish I could tell you more, but this is all that I know at this time.



- ******"

Looks like we will know shortly what is going on.

[edit on 10-3-2009 by XXXN3O]

Did anyone decompile pifts.exe?
I did and its live update, now if you were an antivirus company that offered daily updates you sure wouldn't want people having ready access to that ip thats for sure.
another ats false alarm
upon opening the pifts.exe file in my editor I found this lead "P i f E n g . d l l"
I googled it, of course and I came up with this link
external link

harmless in my eyes but hey what do I know I am only a Microsoft partner since 2002 and had several computers since 1971.
I spent a long time removing norton for people, anything is better than that crap
IMHO pifts.exe is harmless and actually beneficial to people stupid enough to use garbage like norton or any symantec trash in the first place.
I know I know it came with my pc, get rid of it, its garbage.
Our government in BC uses corporate norton what a frigging joke, a friend wanted to find out what was wrong with her pc, corporate norton (yup she stole a copy from work) found no virus at all.
My program found 35 virus and in some cases several copies of the same virus.
Moral of the story, get rid of any symantec trash
there are lots of good free programs out there, albeit none are perfect

Originally posted by Cyberzone
The one thing what puzzles me so.

Why whould they do this? It will cost them millions of users.
Bad marketing?

In the unlikely event it is a goverment backdoor or something of that ilk they would be told to do it.
It doesnt make sense for them to only do this with norton though.
Perhaps some internal programmer cut a deal with a goverment agency/random scammers and snuck it in there without Symantec actually knowing about it.
After looking at the file analasys on /. it seems that the file itself is pretty harmless, but it makes calls to various dll's and reads/writes to the registry which is probably not so harmless.

Um.. there is no need to reformat your PC if you get antivirus 360 (aka Antivirus 2008 or 2009). Do NOT buy it. You just gave your creditcard # to known scam artists. If you bought with a credit card, you REALLY should get a new one, and cancel that one.

If you get that malware, the best software to get rid of it is Malwarebytes.org. It's free, and actually works... unlike Norton, Mcafee, defender, spybot, etc. Our company uses Trend (which is also crap), and since it doesn't work for squat, I install malwarebytes to remove the nastiest stuff (antivirus 360 and vundo for the most part.. those are the two that other virus programs have the biggest trouble removing).

Just install malwarebytes.. run it.. it will probably say it has to reboot. Unplug your ethernet cable (or disable your wireless), reboot, and run it once more time. Full scan takes awhile, but you should run that. Once done, you are set.

OR.. if have system restore, run that instead. Just go back a few days or a week, and that will completely remove these viruses / malware. This should be on, on your computer. It makes removing stuff like this a snap.

The arlington VA contact has an email to here : webdatagroup.com...

Which looks like a front company.

"Our competitive intelligence research service is patterned after the proven "intelligence cycle" methodology that is employed by the US intelligence community. The intelligence cycle is described below. It is the process of transforming raw information into finished intelligence for our customers to use in their decision making process. There are five steps which comprise the intelligence cycle. "

webdatagroup.com...
Registrant:
WDG

4705 DeRussey Pkwy
Chevy Chase, Maryland 20815
United States

Registered through: GoDaddy.com, Inc. (www.godaddy.com...)
Domain Name: WEBDATAGROUP.COM
Created on: 16-Oct-97
Expires on: 01-Jun-10
Last Updated on: 29-May-08

Administrative Contact:
Schumann, Roland [email protected]
WDG
4705 DeRussey Pkwy
Chevy Chase, Maryland 20815
United States
3016566118

Technical Contact:
Schumann, Roland [email protected]
WDG
4705 DeRussey Pkwy
Chevy Chase, Maryland 20815
United States
3016566118

The file is for swapdrive, the norton data collection and backup.
However it also links to administrative contacts in Arlington VA.
So obviously its a collaborative effort between symantec and the Pentagon.

www.swapdrive.com...

Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests.

Webdatagroup.
Our competitive intelligence research service is patterned after the proven "intelligence cycle" methodology that is employed by the US intelligence community. The intelligence cycle is described below. It is the process of transforming raw information into finished intelligence for our customers to use in their decision making process. There are five steps which comprise the intelligence cycle.

It looks like webdatagroup, is Ronald Schuman's little side project.

[edit on 10-3-2009 by CaptainCaveMan]

Normally padding like that is not included in a file for any reason its sloppy coding. Baton down your hatches folks this reeks of mass data mining, or something more sinister which i wont mention. (WHERE THE SPYBOT ACTUALLY JUMPS OUT OF THE COMPUTER AT YOU)

But really tho make sure to uninstall norton products they suck to begin with use avg or something, anything else but norton products. You will thank me later

For those of us that spend a lot of the day on the computer...but don't have the tech knowledge....what do you mean when you say, 'more sinister' but don't want to mention?

I purchased BIT for my anti-virus...seems to do a good job.

reply to post by Salamandrax


Still, it is known that there are allot of people who analyse weird programs and files. So they chance that they get caught is high.

Now things get interesting!

Should we tell 4chan? lol

reply to post by XXXN3O


But didn't the spam start after they'd already removed the legitimate queries they've now labelled as "collateral damage?"

Originally posted by Tripnman
Just caught onto this thread and did a thorough search of the primary drives of the three machines on my network that are running NIS2008 and found no trace of this pifts.exe file.

I'm not seeing this referenced anywhere else, so does anyone know if this is a version specific thing?

Did you search compressed files? On my system it was inside a zip file download from Norton in

Documents and Settings/All Users/Application Data/Symantec/LiveUpdate/Downloads
The file name was 1236641345tjun_pifts.zip.full.zip (though I suspect this will be system dependent probably?).

It's either a legitimate update that Symantec didn't want people discussing last night, or possibly (but probably less likely) a compromised file delivered through LiveUpdate.

But didn't the spam start after they'd already removed the legitimate queries they've now labelled as "collateral damage?"

Yes. There was a legitimate thread that was up for a few hours yesterday and had thousands of views and a bunch of replies from other people asking what the file was. The thread was deleted, so another was started and got a number of replies as well. This was deleted as well, at which point the Norton mods started deleting any mention of that file in minutes or less. The 4chan spam didn't start until sometime overnight or this morning, long after the initial legitimate questions.

[edit on 10-3-2009 by daenris]