Help ATS with a contribution via PayPal:
learn more

SCI: Tech Fears Arise Over Norton and Pifts.exe

page: 29
267
<< 26  27  28    30  31  32 >>

log in

join

posted on Mar, 11 2009 @ 01:12 PM
link   

Originally posted by themaster1
German products guys, how many time need i write it -> Avira free or premium
No made in usa crap please


*powers up Windows with 'Intel Inside' to play World of Warcraft* Hm? Sorry, I didn't hear what you said, too busy enjoying my American products. *chomps down on a Philly Cheesesteak*

[edit on 11-3-2009 by saint4God]




posted on Mar, 11 2009 @ 01:27 PM
link   
reply to post by golemina
 


The interesting part is that this file was not needed.
There would be no way to update the AV without knowing what OS, AV Version, Virus Signature file version, etc was on the system.

To claim this was to see who was still using older products is not being honest.

As far as the Domain that is going to I will point to the simple fact that you can create an A record and call to point to any IP you want as long as you have permission to use the IP.

well scratch that you do not even need permission

I can go to a Dynamic DNS service and point a domain at an IP I do not own.

so anyone going to domain.com could go to someone's home IP if I wanted to do that.

True most people do not know this and since the majority are very computer illeterate they will drink the Symantec KoolAid and be happy. This does represent a serious breach on the part of Symantec.

I am not saying this is going to Africa or to some sunglasses wearing bunker with lots of sunglasses wearing people in black suits. But at the very least it would seem to not be what Symantec are claiming as they gather this inforamtion at install and every time you update.

read the EULA on these products


@saint4God, Intel Core 2 Duo (conroe) was designed by Intel Israel ...


[edit on 11-3-2009 by Achorwrath for grammar]

[edit on 11-3-2009 by Achorwrath for grammar again]

[edit on 11-3-2009 by Achorwrath]



posted on Mar, 11 2009 @ 01:33 PM
link   
community.norton.com...

This is another interesting thread on norton forums.



posted on Mar, 11 2009 @ 01:38 PM
link   

Originally posted by Achorwrath
@saint4God, Intel Core 2 Duo (conroe) was designed by Intel Israel ...


I was kidding, I have AMD
but my computer here at work is Intel, so it's good to know. As I understand it Israel ripped out the avionics of our F-15's when we delivered them and replaced it with 'real radar' with much longer range
. Looks like we purchased that tech from them shortly thereafter. I also don't have a cheesesteak in front of me, but had one a few days ago. If I were home, I'd likely be on World of Warcraft instead of ATS.

[edit on 11-3-2009 by saint4God]



posted on Mar, 11 2009 @ 01:56 PM
link   
reply to post by golemina
 


A small exe!? .... AND?

I have written a 7.5KB keylogger which uploads the log file to an ftp of my choice!

I have written a trojan horse... 42KB with over 28 feautures including a keylogger, remote screen capture, remote webcam capture, system information viewer, firefox/ie password grabber, AND THE REST!

And i think that i could make a program which grabs users temp files and uploads them to an ftp easily under 2kb my friend!

If this program just looks up a few things then why is it so BIG more like!?

The facts remain! Pifts connects to swapdrive and uses temp files, probably uploading them!






[edit on 11-3-2009 by tommyboy1981]



posted on Mar, 11 2009 @ 02:06 PM
link   

Originally posted by tommyboy1981
reply to post by golemina
 


A small exe!? .... AND?

I have written a 7.5KB keylogger which uploads the log file to an ftp of my choice!

I have written a trojan horse... 42KB with over 28 feautures including a keylogger, remote screen capture, remote webcam capture, system information viewer, firefox/ie password grabber, AND THE REST!

And i think that i could make a program which grabs users temp files and uploads them to an ftp easily under 2kb my friend!

If this program just looks up a few things then why is it so BIG more like!?

The facts remain! Pifts connects to swapdrive and uses temp files, probably uploading them!






[edit on 11-3-2009 by tommyboy1981]


Agreed, also why the calls to Google desktop's DLLs? (those are in the exe)
If this is just verifying version information there is no need to hit that.



posted on Mar, 11 2009 @ 02:24 PM
link   
Here is why I think Symantec is trying to sweep this under the rug:

Their software was treating the PIFTS.exe executable as the genuine article even though it was unsigned and could be replaced by a hacked exe. This is a huge security problem and probably one that isn't easily fixable. Simply signing and reissuing the file doesn't fix it, because the DLLs its loading and the norton app that is creating the process is apparently not checking that its signed code.

The release of a unsigned debug build exe speaks very pororly of their release management procedures. This is obviously not fixed by signing and rereleasing, though the results of that release will probably force them to reassess.

The application appears to include call a stock DefeatHackers function, before assuming the coast is clear and getting on with its work. Having this sort of trivial executable (especially in a modifiable form) provides a blueprint on how to defeat this functionality in ALL symantec products. Relesing it, signed or not, was dumb and the focus on this app will likely force them to reengineer this functionality.


Finnaly, I did register here specifically to comment on this thread and to share the results of looking at the executable. Though I am good at this kind of thing there is nothing stopping anyone here from reverse engineering the executable and posting the results and if someone posts an offset or asm fragment that is suspicious I will take another look. An ethereal trace showing exactly what it is being sent to their server would be a good step in proving or debunking that it is doing something nefarious.

I don't work for symantec(though if the Symantec people I know are reading this want to hire me to improve the anti-hack code I am open to that) and don't have any interest or motivation to protect them beyond not getting more spam from botnets. You can believe me or not I don't really care sharing results, not convincing you that those results are valid, is why I registered/posted here in the first place and I've done that.



posted on Mar, 11 2009 @ 02:38 PM
link   
Does this only affect new installs or isn't something Norton automatically searches for (during updates) and downloads to your PC? Do all norton users have this file or just certain people?



posted on Mar, 11 2009 @ 02:42 PM
link   

Originally posted by themaster1
No made in usa crap please


Better uninstall Windows then! and while you're at it don't use the internet or even run any code on an Intel or AMD processor

[edit on 11-3-2009 by warpboost]



posted on Mar, 11 2009 @ 02:45 PM
link   
reply to post by LooseLipsSinkShips
 


That is not completely known although the people that were seeing it were Norton 360 users and users of older versions of Norton Anti-Virus (2006 and 2007) in combination with ZoneAlarm (Zone Alarm was catching the file too).

Corporate versions like Symantecs End Point Protection did not appear to be affected (at least there were no reported cases of this file showing up)

It was part of an Update sent out on 3/9/2009 through Live Update.



posted on Mar, 11 2009 @ 02:48 PM
link   

Originally posted by Achorwrath
reply to post by LooseLipsSinkShips
 


That is not completely known although the people that were seeing it were Norton 360 users and users of older versions of Norton Anti-Virus (2006 and 2007) in combination with ZoneAlarm (Zone Alarm was catching the file too).



Originally posted by gazzy_gui
How come you have it and i don't i use norton 360? odd huh


Seems like not all Norton 360 users are bothered by it.



posted on Mar, 11 2009 @ 02:55 PM
link   
I'm at work now but when I get home is there a while to search Norton's files for this exact file? When found, is it easily deleted?



posted on Mar, 11 2009 @ 02:56 PM
link   
I only commented that the majority of people that reported it were ones using Norton 360 and older Norton Products in combination with Firewall programs like Zone Alarm (it was even on Zone Alarms forum for a while).

Considering that Symantec pulled the file from the update servers quickly it is possible that not everyone recieved this file.

From what I have read it seems that the PIFTS.exe file was a final file installed during the live update run.

As I do not have Norton (of any kind) installed I am only going on the data that is out. including the 29 pages of this thread. It is entierly possible that PIFTS.exe was sent out to all retail versions but that a limited number of systems caught it.



posted on Mar, 11 2009 @ 03:48 PM
link   

Originally posted by Terric
You know what?

Even though this will be swept under the carpet at some point and forgotten about as people get bored of banging their heads against the wall and more and more "credulous" lies come out about what this file does this whole thread is a testament to the lack of trust people put in large corporations - and for damn good reason.

It's likely the truth won't out about this file but just the sheer number of posts in this thread says "hey massive corp inc. we don't trust you, we don't like you and we're watching you like hawks!". It's good to see people on their guard - and intelligent people at that. It's this sort of thinking that is preventing these large companies silently monopolising everything. As always, we have the power not them simply because there are and always will be more of us than them.

Good work everyone!

T


I don't think people will get bored, especially since Norton used Anonymous and the /b/ army as a scapegoat. Norton is failware. Period.

Expect to hear more about the war between Anon and Norton in the future. They might even get put on Attack of the Show on G4!


For everyone else, it'll probably die without "big support". I know I've already said this, but, why not give Alex Jones a call? He'll make some noise and possibly get even more people interested... Just make sure he gets the official story.



posted on Mar, 11 2009 @ 04:11 PM
link   
Been watching this develop since page 3.

Hope some people have taken up my suggestion (any many other suggestions
) to abandon big business antivirus and change to one of the free ones.

Vista is enough of a system hog without bolting a bloated Symantec product onto it.

Aaaanyway.

Some people suggested contacting someone who could get this to the MSM and make them listen.

Alex Jones was mentioned. It is possible he would take an interest, but I don't think he'd be the greatest spokesperson. If he just exposes their lies to the masses without starting to rant about NWO controlled business and 'OMG there's an Illuminati in my exe' it would probably be ok.

I know the editor of Australia's biggest gaming magazine, PC Powerplay, and am going to forward the most informative posts on to them and see if they run with it. They love trashing the big companies.

But who can we bug in America?

If we get some suggestions together we could:

1) Start an online petition for Symantec to reveal the truth about the debacle
2) Contact the high profile person in question and forward them the most informative, well written and damning posts about the issue.
3) Make sure they are shown and understand the great work members have done on the .exe, such as the Anubis report and the analysis.

[edit on 11-3-2009 by fooffstarr]

[edit on 11-3-2009 by fooffstarr]



posted on Mar, 11 2009 @ 04:23 PM
link   
Make sure ATS/ 4chan's /g/ / 4chan's /x/ / and other innocents are separated from 4chan's /b/ army /i/nvasion.

I like /b/, and they are funny, but sometimes they can devalue a cause.



posted on Mar, 11 2009 @ 04:52 PM
link   
reply to post by tommyboy1981
 


Dude DON'T shoot the messenger!

I only call them like I see them.

I only have one interest at this point and that is the TRUTH.



A small exe!? .... AND?

I have written a 7.5KB keylogger which uploads the log file to an ftp of my choice!

I have written a trojan horse... 42KB with over 28 feautures including a keylogger, remote screen capture, remote webcam capture, system information viewer, firefox/ie password grabber, AND THE REST!

And i think that i could make a program which grabs users temp files and uploads them to an ftp easily under 2kb my friend!


I presume using your favorite assembler...

Not using the layered libraries bloatware language/environment this was written in.



If this program just looks up a few things then why is it so BIG more like!?

The facts remain! Pifts connects to swapdrive and uses temp files, probably uploading them!


Don't misunderstand my next statement...

I've followed some of your efforts and I'm with you.

The problem is these are (in my opinion
) serious allegations...

'Probably' just doesn't get it done.

This is the point where SOME PROOF needs to be served up.

Show me the body.

For my part, I'm putting my keyboard where my mouth is... Digging out some... Something like 3 machines ago... You dig?





[edit on 11-3-2009 by golemina]



posted on Mar, 11 2009 @ 05:19 PM
link   
29 pages and noone bothers to disassemble pifts.exe..


I was sent a rar file with the original patch files, started looking and found the thread on ATS imagine that... Comes around...


Full disassembly uploaded here

www.megaupload.com...

In human terms

I am PIFTS.exe
Start
what type of version of Symantec products are you running?
are you running any Product Information Framework (P.I.F.) software?
really? Then please tell me what version..
O, it is version as described by 60333AE5-B66E-4994-B15C-CA2D665CDC89.
Well in that case I have to inform you that a have some new code for you, here you go.
And in all cases, I am making sure that I write my stats back to the norton server, may I please do that?
Y/N
Sorry, I have to ask, but someone who wrote me forgot to sign me, so I am visibly annoying you with a question, causing 38.000 posts on the Norton Community forum, and giving a bad rep to anti virus engineers everywhere.



SWC00413C48_Software_Symantec_InstalledApps:
unicode 'Software\Symantec\InstalledApps',0000h
SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
SWC00413CE0_Norton_Internet_Security:
unicode 'Norton Internet Security',0000h
Align 4
SWC00413D14__s_NisProd_dll:
unicode '%s\NisProd.dll',0000h
Align 4
SWC00413D34__d__d__d__d:
unicode '%d.%d.%d.%d',0000h
L00413D4C:
db 4Eh; 'N'
db 00h;
db 41h; 'A'
db 00h;
db 56h; 'V'
db 00h;
db 00h;
db 00h;
SWC00413D54__s_NavUI_dll:
unicode '%s\NavUI.dll',0000h
Align 4
SWC00413D70__s_NavProd_dll:
unicode '%s\NavProd.dll',0000h
Align 4
SWC00413D90_Norton_SystemWorks:
unicode 'Norton SystemWorks',0000h
Align 4
SWC00413DB8__s_NSWAlert_dll:
unicode '%s\NSWAlert.dll',0000h
SWC00413DD8__s_NSWCfg_dll:
unicode '%s\NSWCfg.dll',0000h
SWC00413DF4_Norton_360:
unicode 'Norton 360',0000h
Align 4
SWC00413E0C_N360:
unicode 'N360',0000h
Align 4
SWC00413E18__s_NTPAlert_dll:
unicode '%s\NTPAlert.dll',0000h
L00413E38:
db 4Eh; 'N'
db 00h;
db 50h; 'P'
db 00h;
db 50h; 'P'
db 00h;
db 00h;
db 00h;
SWC00413E40__s_NCOAlert_dll:
unicode '%s\NCOAlert.dll',0000h
L00413E60:
db 2Dh; '-'
db 00h;
db 31h; '1'
db 00h;
db 00h;
db 00h;
db 00h;
db 00h;
SWC00413E68_Version:
unicode 'Version',0000h
SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
Align 4
SWC00413EC8_systemState:
unicode 'systemState',0000h
SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
Align 4



Symantec is telling the truth, period.

MoonMine out

EDIT: Terminology

[edit on 11-3-2009 by MoonMine]



posted on Mar, 11 2009 @ 05:20 PM
link   
I don't know if this is a possible, but could there have been the chance of an employee of symantic or norton who felt this was very, very wrong, and coded this in away to be slipped to the public like it has been?

With so many sharp people out there it would not take much for it to be caught like it has been.

With Norton being so quiet all day of the leak, looks like they need to hire some good spin doctors to clean this little mess up.



posted on Mar, 11 2009 @ 05:30 PM
link   
Adding to my post:

Another source confirms my findings:

Function calls are basically



[It] determines what product is installed [...] by looking under the HKLM\Software\Symantec\InstalledApps registry key.
[It] determines the version of the installed product by looking at the file version information of a key product file.
[It] determines if PIF1 is installed [...]
[It] determines the version of PIF [...]
[It] determines if PIF is enabled [...]
[It] determines the version of PIF that LiveUpdate believes is installed [...]
The collected information, as described above, is reported to a Symantec server, called stats.norton.com[...].


From: www.javamex.com...

The statistics collection action triggers the window on the unsigned executable.

The executable is harmless.

Symantec is stupid for having allowed this to escalate all over the place.


A simple statement by a software engineer would have taken care of it...

There you go.

MoonMine





new topics




 
267
<< 26  27  28    30  31  32 >>

log in

join