It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
I am extremely angry and horribly disappointed with you. I expected better from a company who's nexus of purpose is defending the people who use your products. This betrayal runs deeply, and will march through all the aware users of Symantec products soon enough. What started as a scratch is becoming a fissure. We hold you, Symantec, for turning your back on us who have been loyal to you for years. To the people who accepted your protection from the ill affections of the world who deigns to undermine innocent people. We knew, believed, and truly accepted the idea that your defense would offer no exceptions and would forgive no trespasser. We feel betrayed! We feel wronged by your collusion with American intelligence agencies! We feel absolutely disgusted that you would have us accept this goverment trojan called PIFTS.EXE and then suppress us unrighteously when we POLITELY ASK what you have intruded our space with! PIFTS - Public Internet and File Tracking System? How will we ever know. The damage has been done. Such a violation of our contracts with you is not redeemable. You have gone from hero to worm. I am IMMEDIATELY cancelling my subscription to Norton products and uninstalling them. I encourage everyone who values their privacy and their freedom to do the same. Norton Products Removal Tool for Vista/XP/2000: ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe Norton Products Removal Tool for Me/98: ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool_9x.exe Those removal tools will uninstall Norton products...hopefully. Thanks for nothing but bitter feelings. Signed, A Former Customer
Originally posted by tommyboy1981
i bet the owner of symantic does not use norton!!!
Here's a post on DSLReports regarding this issue. Not sure how much of this is true, so take this with a grain of salt.
Fascinating, they call it a simple update? It is not.
The program analyzed:
It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 22.214.171.124:80 is where PIFTS.exe asks to connect to.
Domain Name: SWAPDRIVE.COM
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.
"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."
It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 126.96.36.199:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.
Oh no folks, move along, certainly nothing interesting to see here!
if you're saying the only thing left to do here is discuss what's being said on another forum, I think I'll be asking a mod to close this thread
I see one call into wininet (InternetOpenUrlW) that, as far as I can tell, has pretty innocuous data in it and one call to CreateFile for logging. So where are you seeing the application (not wininet) pulling in those things. An offset, ASM fragment, or API should be sufficient.
but as i said , when dissected , the code show commands requesting for your temp internet files and brower history, and many more infos
File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810
The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.
PIFTS.EXE does the following:
- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.
No additional information is collected, no personal information is collected, and no system modifications are made.
Originally posted by golemina
Has anyone posted a binary image of the EXE in question.
Originally posted by golemina
They have posted a 'technical' description of the activity of the so called EXE.
It is in STARK disagreement with assessments we have had posted in this forum.