It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
PIFTS (Product Information Framework Troubleshooter) is a diagnostic program that Symantec periodically sends out to users to anonymously collect information such as the operating system and version number of the product being used in order to get a snapshot of its user base. The troublesome, unsigned PIFTS.exe file is no longer being distributed, but it never represented any kind of security threat, Kyle said. "If a user would have accepted it they should have been fine, and if they declined it they should have been fine."
"21:42:39,1065547","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Cookies\index.dat","SUCCESS",""
"21:42:39,1065894","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Lokale Einstellungen\Verlauf\History.IE5\index.dat","SUCCESS",""
"21:42:39,1066223","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat","SUCCESS",""
Originally posted by golemina
For those of you who might be a little slow on the draw those last three lines represent the closing of the COOKIES, HISTORY, and CONTENT index files of their respective INTERNET EXPLORER directories...
That login contains invalid content. Please choose a different login that does not contain 'Pift'.
Read this. Seems to confirm what I was saying. Not sure how accurate any of it is, but I can't imagine someone making up such elaborate backgrounds about former military intelligence officers and whatnot.
Fascinating, they call it a simple update? It is not.
The program analyzed:
It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 188.8.131.52:80 is where PIFTS.exe asks to connect to.
Domain Name: SWAPDRIVE.COM
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.
"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."
It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 184.108.40.206:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.
Originally posted by SeanU
Pift = Probabilistic Information Filtering Tool
Maybe there are people interested in flagging people searching for certain phrases on google?
Google Books Link to research paper
[edit on 10-3-2009 by SeanU]
Originally posted by CeltAngel
Given Symantec's backpedaling today and the facts we know about the app, I have to wonder the same thing. Been there, done that with AOL(sic).
I've also seen spy software that will embed itself so deeply as to mimic normal Windows registry entries hiding itself. This stuff was in the computer so tight I actually ended up having to wipe the drive, I could never find all of it to get it out.
Originally posted by CeltAngel
Scary stuff out there - seriously makes one wonder if it all could have been a distraction Symantec allowed to bloom out of control to distract from what pifts was really doing/ interacting with.