SCI: Tech Fears Arise Over Norton and Pifts.exe

reply to post by Gemwolf


(Edit: that the Symanetc story doesn't add up... A lot of posts.)

That would be hitting the nail on the head Gemwolf.

(Didn't you say something like that hours ago? ).

BTW... Greatest avatar ever!



[edit on 10-3-2009 by golemina]

Originally posted by unknown known
So do you honestly think YOU are being spyed upon?

No, I was having fun with paranoia fever. I'm not being spied on any other way, I'm simply neither that important nor interesting. I could be quickly and easily spied upon however if that status changes.

Originally posted by unknown known
Sorry, were not all Russian KGB...I know everyone wants to live a movie script...

Not all of us...just...some of us... *looks left, looks right, cue upbeat groovy music *

[edit on 10-3-2009 by saint4God]

So it appears as it was a 'legitimate' update that just happened to go 'unsigned' before it was released.

Hrm.

For a company that prides itself on protecting the tech community with their GREAT protection products they don't have a strict procedure in place to ensure that their updates are signed? That's like ... price of admission for entry into amateur school here. Not to mention something that should be in an SOP for a major AV company.

So it's doing data mining for windows 7. I do not run Norton and haven't forever ... is there anything in their T&C that would restrict this kind of behavior? Kinda scary that this all came to light simply because some egg-headed programmer forgot to digitally sign an update file.

That is ... if we are to believe the whole story.

Originally posted by unknown known
PIFTS.exe is a file created by Norton that connects to stats.norton.com and let's their servers know the status of one of their software updates installed on your computer.

Calm the hell down, I said go back inside your homes and dont look at what is going on outside.

It doesn't connect to stats.
It connects to SwapDrive.
We have already investigated this is great detail.
People who do not use swapdrive, should not have a process connecting to it.
Swapdrive is used to store massive amounts of data.
It is an online virtual backup facility.
Why would it automatically connect to a data storage facility, if someone doesn't use it?

Take into consideration before you make your minds up(lol)

They were deleting posts HOURS before fourchan an other people knew about this.

:\ oh well

reply to post by saint4God


Oh sorry your a saint. P.s. dont feed the paranoid trolls

Originally posted by saint4God

Originally posted by Unlimitedpossibilities
well they officially made a discussion about it at community.norton.com...

Maybe they will give some "answers"?

The fun never stops. Rule #1 of a conspiracy, begin your statement with:

"There was no "conspiracy" or "cover-up" " - Tony Weiss, Norton Forums Administrator, Symantec Corporation

I kid, I wish Tony and family all the best and am sorry Norton selected him as the one to be pushed out in front.

Then comes: "Why does Symantec hate freedom and privacy?"

I can assure you Symantec loves freedom and privacy. They love the freedom to see what you're doing and the privacy of not having to answer for it. Oh goodness...now it seems I have the same virus these other posters do...

I am confused. Are you just commenting randomly or are you actually replying to what I said?

anyway.....

Originally posted by unknown known
Oh sorry your a saint. P.s. dont feed the paranoid trolls

You're right, it was an irresponsible thing for me to do. I'm still curious though to see what this exe does and why it's doing it. I'm grateful there are people here on ATS who know a lot more about it than I do. The most I know is that Norton behaved 'virus like' on my computers after trying different versions, installs, etc.

For me, "if it looks like a virus and acts like a virus, it's a _______" no matter what it was 'meant' to do.

Sorry for the confusion Unlimitedpossibilities, I wasn't replying to your post, but rather the link and the things that were said there.

[edit on 10-3-2009 by saint4God]

reply to post by CaptainCaveMan


But you can use the storage facility...

Helping our Symantec customers secure and manage their information is fundamental to our business. The Norton brand is focused on offering products that help consumers secure and manage their information, which has led to our development of world class products such as Norton AntiVirus, Norton Internet Security and Norton 360. With the completion of the SwapDrive acquisition, we are building a solid foundation upon which to offer our Norton customers a comprehensive solution to help secure and manage all of their digital information, across all of their devices.

www.symantec.com...

reply to post by unknown known


Everyone thinks that someone wants their lucky charms.

The government doesn't need Symantecs help if they want to spy on anybody with a net connection. AT&T is their go-to guy.
www.eff.org...

So Symantec said this whole thing was because they need to know how many people have their software on what platform so they can supposedly guage how many people will be migrating to a new version and what traffic will be like on their servers???


Don't they already this kind of data from the servers logs used to update daily

[edit on 10-3-2009 by warpboost]

www.worldnetdaily.com...

Here is an article about Magic Lantern, from 2001.

After eight years of being headed by Louis Freeh – a man who saw fit to revise Benjamin Franklin's famous statement, "Those who would give up essential freedoms for security, deserve neither freedom nor security" and replace it with his own "The American people must be willing to give up a degree of personal privacy in exchange for safety and security" – the FBI has chosen to use Sept. 11 as an excuse to remove yet another "degree of personal privacy."

Under a new initiative called Cyber Knights, the FBI has launched into the business of creating "Trojans" – a particular type of computer virus – to infect computers. Yes, that's correct, the FBI, wants to infect your computer with a virus. Launch a program from an infected e-mail, and the FBI will have a record of every keystroke you make on your machine. They call it their "Magic Lantern." Possibly learning from their public relations debacle "Carnivore," now renamed the "DCS-1000," and the lesser known "Omnivore," the FBI has chosen names wisely this time. Names carefully designed to evoke warm fuzzy feelings of being protected by the proverbial "White Knight" – a Cyber Knight, if you will.

Modern cryptography has reached the point where it is not breakable by the FBI. Nor will it be in the foreseeable future, barring some stunning breakthrough in computer science or mathematics. The basic problem in breaking strong crypto is that you start with two prime numbers, and then you combine them mathematically. To break the code, and recover the message, you have to get back to those original prime numbers. Which has been compared to mixing a pound of sugar with a pound of salt, and then trying to separate them back out at a later date.

Every public case where the FBI has overcome cryptography has involved getting the "pass-phrase," or "key" surreptitiously. One notable case had them installing a "key-logger" on a suspect's computer, which allowed them to capture his pass-phrase, and open his encrypted files.

But you must pity the poor FBI. In order to accomplish this task, they have to get a warrant, physically enter the premises and install their hardware – all without being detected. Then someone had a bright idea: If hackers could plant viruses on people's computers undetected, why couldn't they do it too? Once remote control key-loggers are installed as "Trojans" on your machine, you'll never even know you're infected.

"But wait a darn minute! I use anti-virus software! I'm protected," you might say. Guess again. Like other quislings and collaborators of the past, McAfee, largest anti-virus software producer in the world, sniveled up to the federal police and simpered that they would take steps to ensure their software didn't alert you that you had been infected by the FBI. This infuriates me. I use McAfee's product – which I paid for in good faith. Their software's job is to alert me when a virus has infected my computer. It is not their place to decide what is a "good" virus and what is a "bad" virus.

edit: community.norton.com...

Symantec has said before that it will not, under any circumstances, seek to obstruct the intelligence agencies of any country. Symantec will fully cooperate with forensic software, such as the so-called "Magic Lantern".

[edit on 10-3-2009 by djzombie]

reply to post by Fiverz

For a company that prides itself on protecting the tech community with their GREAT protection products they don't have a strict procedure in place to ensure that their updates are signed?

That is the least of their problems as far as I'm concerned. I used to get all sorts of calls when I was doing tech support about slow computers, or direct norton issues.

It would typically go something like this, Hello blah blah, how can I help you? My computer is running really slow. My next question would be, are you running Norton? If they said yes, uninstall it and then call me back if you're still slow. Typically, getting rid of Norton sped things up quite a bit. Usually though, that response would end up opening a whole other kettle of worms, as there were all sorts of issues with simply uninstalling their pgoram.

I have been telling people this for years, you should NEVER have to edit the registry to uninstall a program, that's just bad programming. That used to be pretty normal for Norton. I'm not sure if that is still the case, but I have had to go edit I don't even know how many registries just to get this piece of crap software uninstalled.

Fun stuff.

Hi everyone,



Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.



There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:



* O LAWD IM CHOKIN ON PIFTS PLZ HALP
* OH GOD YOU GOT CHOCOLATE IN MY PIFTS
* If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
* IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
* PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
* I LOVE MY PIFTS.EXE


Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.



Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.
Message Edited by davecole on 03-10-200

"Official Statement" by Symantec

Source

P.S. Sorry if its a repost

[edit on 10-3-2009 by Sliick]

reply to post by djzombie


Spokesmen for the FBI soon confirmed the existence of a program called Magic Lantern. They denied that it had been deployed, and they declined to comment further.[5]

^ Article in the Village Voice, 24 May 2002

Symantec and Norton AntiVirus products have also received criticism from within the anti-virus industry as well. Marc Maiffret, chief technology officer and cofounder of eEye Digital Security- producer of Blink Personal, has stated: "Our customers are paying us for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools."

[edit on 10-3-2009 by unknown known]

Yes, the fact that you need a tool written by a 3rd party to remove the software should tell you something about the company.

Originally posted by Armour For Victor

Originally posted by tommyboy1981
reply to post by FreezeM

 

I have tested Pifts.exe with Anubis which shows it accesses these folders containing private information! This and the fact Norton are actively trying to cover up PIFTS raises enough suspicions to warrant further investigations and im 90% sure a traffic dump would show this to be true!

Anubis Report on PIFTS.EXE

Norton does not need to use these folders to see how many installations there have been at all!!



[edit on 10-3-2009 by tommyboy1981]

You should send that to Norton or someone of interest.

YES PLEASE SEND THIS IN TO SOMEONE!

Originally posted by unknown known
reply to post by CaptainCaveMan

 

But you can use the storage facility...

Helping our Symantec customers secure and manage their information is fundamental to our business. The Norton brand is focused on offering products that help consumers secure and manage their information, which has led to our development of world class products such as Norton AntiVirus, Norton Internet Security and Norton 360. With the completion of the SwapDrive acquisition, we are building a solid foundation upon which to offer our Norton customers a comprehensive solution to help secure and manage all of their digital information, across all of their devices.

www.symantec.com...

You are right.
In all the new Norton packages, there is the online backup and restore facility.
You get 25gb free, and have to buy more space.
But this does not turn on automatically.You have to choose it.
And people who have older versions of the Anti Virus only, would not use this.
So why is it automatically connecting to it?
This of course also does not explain, Webdatagroup LLC in Arlington VA.
Or the private address, in Chevy Chase, Maryland, that are registering to the address it connects to.

shop.symantecstore.com...

Look here, only Norton 360, has backup and restore.

[edit on 10-3-2009 by CaptainCaveMan]

reply to post by Sliick


It took them almost 24 hours to give that statement??

Not good enough given all the information floating around and the fact that questions on the forum were removed way earlier than the spamming that happened as a result.

Pift!

[edit on 10-3-2009 by XXXN3O]

I wonder how long until they shut that forum down again.

community.norton.com...

Man; am I ever glad I hopped off of the Norton bandwagon AGES ago.

I want to first send a (I won't lie) half-hearted apology to the admins on these forums for my contribution to the spam. However, you guys brought it on yourself. A simple "Here's what's going on, stop spamming thanks" post would have stopped all of this QUICKLY.

Now, on another note, your extremely haphazard way of handling this has prompted many to disassemble your .exe file and we have noticed a few key problems with it:

1) The file itself is designed specifically to send usage history (In the form of Internet Explorer history files, Temporary Internet Files, and Google Desktop information) to 2 private servers: One owned by Microsoft and the other owned by a Washington-based corporation known as "SwapDrive". This in and of itself is a breach of our privacy and should be explained immediately.

2) An inconsistency I noticed with the .exe in question was the fact that it has a very curious amount of padding. Padding is often used in cracking and hacking to force an .exe file to match the expected size of the program. However, why would you need any kind of padding in an official .exe from Symantec? Also, there's a lot of nonsense strings in the file; anything from the days of the week to the alphabet. Which tells me you're using even MORE padding.

What's really going on, guys?

EDIT: Oh, and I almost forgot about the most important thing. Not all of those posts last night were spam; the majority of us just wanted to know what was going on. I know the morons who were responsible for the famous threads such as the I HAVE THE ITCH thread, and they're just that: Morons.

So why did you REALLY delete every post made about it BEFORE the spam started?

Is this someone from this thread posting? It all sounds way familiar.

[edit on 10-3-2009 by djzombie]