SCI: Tech Fears Arise Over Norton and Pifts.exe

reply to post by MoonMine


Why the calls to winint?
Those have been verified by proccess explorer and anubis.

If that is all that has been called why do the others show up in the many posts of PIFTS to Anubis?

Just curious, also considering this is done every single time Live Update runs why would they need a seperate exe to perform this?



[edit on 11-3-2009 by Achorwrath]

I dont use norton and never have - why when theres perfectly good free software like AVG?

Talk about software conspiracy - IE is the most hacked browser going and tends to crash my PC and let in all sorts of viruses and stuff.

So why doesnt ATS let you log in using Chrome?

Originally posted by LooseLipsSinkShips
Does this only affect new installs or isn't something Norton automatically searches for (during updates) and downloads to your PC? Do all norton users have this file or just certain people?

I am running Norton Internet Security 2008 on three boxes and PIFTS.exe is not on any of them. As pointed out by other posters it looks like the nefarious file was only pushed to the users of the '06 and '07 product lines, along with the current users of 360. Of course I can't confirm any of that, but can say with certainty that my 2008 installs were not affected.

I have Norton 2009 on my Windows Vista machine and it doesn't have this file on it. Also searched roommates computers for it and they don't have it either.

Originally posted by MoonMine
29 pages and noone bothers to disassemble pifts.exe..

I was sent a rar file with the original patch files, started looking and found the thread on ATS imagine that... Comes around...

Full disassembly uploaded here

www.megaupload.com...

In human terms

I am PIFTS.exe
Start
what type of version of Symantec products are you running?
are you running any Product Information Framework (P.I.F.) software?
really? Then please tell me what version..
O, it is version as described by 60333AE5-B66E-4994-B15C-CA2D665CDC89.
Well in that case I have to inform you that a have some new code for you, here you go.
And in all cases, I am making sure that I write my stats back to the norton server, may I please do that?
Y/N
Sorry, I have to ask, but someone who wrote me forgot to sign me, so I am visibly annoying you with a question, causing 38.000 posts on the Norton Community forum, and giving a bad rep to anti virus engineers everywhere.

SWC00413C48_Software_Symantec_InstalledApps:
unicode 'Software\Symantec\InstalledApps',0000h
SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
unicode '\PIF\[B8E1DD85-8582-4c61-B58F-2F227FCA9A08]',0000h
SWC00413CE0_Norton_Internet_Security:
unicode 'Norton Internet Security',0000h
Align 4
SWC00413D14__s_NisProd_dll:
unicode '%s\NisProd.dll',0000h
Align 4
SWC00413D34__d__d__d__d:
unicode '%d.%d.%d.%d',0000h
L00413D4C:
db 4Eh; 'N'
db 00h;
db 41h; 'A'
db 00h;
db 56h; 'V'
db 00h;
db 00h;
db 00h;
SWC00413D54__s_NavUI_dll:
unicode '%s\NavUI.dll',0000h
Align 4
SWC00413D70__s_NavProd_dll:
unicode '%s\NavProd.dll',0000h
Align 4
SWC00413D90_Norton_SystemWorks:
unicode 'Norton SystemWorks',0000h
Align 4
SWC00413DB8__s_NSWAlert_dll:
unicode '%s\NSWAlert.dll',0000h
SWC00413DD8__s_NSWCfg_dll:
unicode '%s\NSWCfg.dll',0000h
SWC00413DF4_Norton_360:
unicode 'Norton 360',0000h
Align 4
SWC00413E0C_N360:
unicode 'N360',0000h
Align 4
SWC00413E18__s_NTPAlert_dll:
unicode '%s\NTPAlert.dll',0000h
L00413E38:
db 4Eh; 'N'
db 00h;
db 50h; 'P'
db 00h;
db 50h; 'P'
db 00h;
db 00h;
db 00h;
SWC00413E40__s_NCOAlert_dll:
unicode '%s\NCOAlert.dll',0000h
L00413E60:
db 2Dh; '-'
db 00h;
db 31h; '1'
db 00h;
db 00h;
db 00h;
db 00h;
db 00h;
SWC00413E68_Version:
unicode 'Version',0000h
SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
unicode '[60333AE5-B66E-4994-B15C-CA2D665CDC89]',0000h
Align 4
SWC00413EC8_systemState:
unicode 'systemState',0000h
SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
unicode 'SOFTWARE\Symantec\PIF\[B8E1DD85-8582-4c61-B58F-2F227FCA9A08]\PifEngine',0000h
Align 4

Symantec is telling the truth, period.

MoonMine out

Oohh ReeeheheeeALLLLLLY!?

Which truth is that?

The truth they told about when and why they started deleting threads/questions/posts and usernames? Wait for it, OOOHHH... that statement wasn't true... Then which truth are you referring too?

The truth they told when they first issued their statement about what that pifts.exe file does, ie, it just searches for program update info? Oh I get it that must be the truth you're referring too...HMM!

Well then what about their second statement? Oh, that statement is to good to post to your response, at least for now... seeing how you just posted all that stuff. I know, why don't you go read their second statement about pifts.exe and what it does, and then come back and tell everyone what truth Symantec is telling as you see it.

(here’s a hint, go back to 20 thru 28 and start there and then work your way forward...) I would give other sites but that wouldn't be fair to your Symantec is telling the truth period statement...)

--Charles Marcello

I only read 2 or 3 pages, so IDK if this info is relevant anymore or not. I am one of the anons over from 4chan. I usually roam around in the /b/ forums. Anyways, have you guys heard of the whole Battle Toads ordeal? 4chan users enjoy calling Gamestops all around the world and asking for the game Battle Toads just to piss the workers off.

Maybe that is all that is happening here. 4chan may have posted over 100 threads on this file in the forums, and originally Norton WOULD have answered any questions. But now that they obviously know they are just being messed around with, they just ignore it and call it spam.

Catch my drift?

PIFTS.EXE and User Information Disclosure and System Changes There are numerous reports claiming that PIFTS.EXE collects and submits user data, specifically reading of IE browser cookies, and claims that PIFTS.EXE makes system modifications, specifically changes IE settings, and further reports that these claims are substantiated by automated analysis systems. PIFTS.EXE uses the Microsoft Windows InternetOpenURL() API to submit the collected PIF state to Symantec. The InternetOpenURL() API internally reads various system configuration settings, including Microsoft Internet Explorer settings and files, and can also result in changes to the IE cache and temporary files folders. PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec. To demonstrate the InternetOpenURL() API behavior, I created a small application called TestPIFTS.EXE. This is a Windows application, written in C++, and compiled using Visual C++ 9.0 SP1. The application does nothing more than open a URL on the Symantec web server. The full source code and binary is available for download, here is a summary: szAgent = _T("TestPIFTS"); szURL = _T("http://www.symantec.com/index.jsp"); InternetOpen(szAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); InternetOpenUrl(hInternet, szURL, NULL, 0, 0, 0); InternetCloseHandle(hURL); InternetCloseHandle(hInternet); To analyze the TestPIFTS.EXE behavior you may use a variety of forensic and troubleshooting tools, including the Microsoft Process Monitor utility used to observe system modifications, and the Microsoft Network Monitor utility used to observe network communications. Using Process Monitor you will notice that TestPIFTS.EXE reads lots of registry keys, reads lots of files, and makes some changes to the IE cache and temporary files folder. Using Network Monitor you will notice that TestPIFS.EXE generates a HTTP GET request to the www.symantec.com server. All the system and network activity is a result of using the InternetOpenURL() Windows API. Some of the reports substantiate their claims based on the automated analysis of PIFTS.EXE by the Anubis server. For comparison, I submitted the harmless TestPIFTS.EXE binary to the Anubis server for comparative analysis. The Anubis analysis of PIFTS.EXE and TestPIFTS.EXE (the application that does nothing more than open a URL on the Symantec web server) produces the same results, including the modification to the system. Yet, the TestPIFTS.EXE source code clearly shows no system modification or data collection is taking place. I could also not reproduce the Anubis system registry modification results using Process Monitor. PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec. Here are the reports for PIFTS.EXE and TestPIFTS.EXE: anubis.iseclab.org... anubis.iseclab.org...

I think the following reply from PeterV (symentec employee) on the Norton forum is very telling.

(see here: community.norton.com... )

Quote:

"There are numerous reports claiming that PIFTS.EXE collects and submits user data, specifically reading of IE browser cookies, and claims that PIFTS.EXE makes system modifications, specifically changes IE settings, and further reports that these claims are substantiated by automated analysis systems.

PIFTS.EXE uses the Microsoft Windows InternetOpenURL() API to submit the collected PIF state to Symantec. The InternetOpenURL() API internally reads various system configuration settings, including Microsoft Internet Explorer settings and files, and can also result in changes to the IE cache and temporary files folders.

PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec."

End quote.

Note the use of the word "directly"


It's like when TV companies say they don't turn up the volume when adverts come on - It's true they don't - they turn the volume of the program your watching down !!

It implies that Pifts.exe is using other already installed programs to the dirty work.

Plausible deniability ?

reply to post by xBRINGxONx2012x



Go back to failchan

Norton was deleting legitimate PIFTS threads way before the first 4chan spam thread appeared. Like the bunch of fail trolls you are, you then proceeded to give Symantec a reason for deleting any PIFTS threads by your fail attempt at raiding. "hurr hurr hurr we are l33t spammers hurr hurr" In true btard fashion you also decide to make a meaningless post about something you know nothing about. ATS mods should ban anyone who even mentions affiliating with 4chan or being Anon lulz.

Originally posted by wiredamerican
I think I have got a hint by somebody doing some digging. Here is a statement about what he is speculating. It is Spying on its users! I have a feeling they are deleting the posts in the norton message board because their terms of service problably forgot to include about the spying part.

Man I will tell you. I became certain that some of these services were actually letting certain things into my PC or at least were not serving the customer lets just say that. After getting rid of the program my PC worked a lot better.

Also, I had a tech look at my PC. He found an unidentifiable program running in the start up. Didn't even have a name. Said it shouldn't be there and removing it my be harmful.

As well have you seen these Trojans that actually fight with virus scan programs. I mean ones that are already in the system and so you run a free deal like housecall. I had one that totally ate housecall and spit it out!

Originally posted by Did you see them
Note the use of the word "directly"

here is the (decompiled) code that they are using to connect to the internet. As is often helpful I have changed function and variables names from automatically generated names to rational usage based names... also I've removed some unused/redundant local variables that don't effect the way the code operates.

int __cdecl fetch_url(LPCWSTR lpszUrl)[

HINTERNET hInet; // eax@1

int err; // esi@1

DWORD err2; // esi@4



err = 0;

hInet = InternetOpenW(&szAgent, 0, 0, 0, 0);

if ( !hInet || !InternetOpenUrlW(hInet, lpszUrl, 0, 0xFFFFFFFFu, 0, 0) )[

if ( (signed int)GetLastError()

4chan's /g/eeks may be on something...



Al CIAda led Anons attacked Norton forums which has somewhat ruined our credibility?

What do you guys think?

I get it now: PIFTS.exe

people informed but fooled through subterfuge dot executable

[edit on 11-3-2009 by themaster1]

Originally posted by RFBurns
...Obviously you need some networking classes.

Had them, thank you very much. I am a MCSE, CNE, CCA, and CCNA. But nice try in trying to disparage me. Shoot, I bet you don't even know the difference between a routed protocol and a routing protocol.

The hardware I sit behind is quite effective, customizable and has worked for my purposes for over 10 years. Now I have never had ANY virus attacks, or attempts to get into my networks since installing this system, and it seems to work extremely well.

If you were as good at networking as you seem to think you are, you would know that a firewall has ABSOLUTELY NOTHING TO DO WITH WHETHER YOU CATCH A VIRUS OR NOT. You could be behind 50 billion firewalls, and still catch a virus.

The two routers, the industrial ones, are not your typical off the shelf wal mart made in china POS's. These are Cisco routers

I am very familiar with Cisco routers, having installed and configured many hundreds of them, including one for an ISP backbone that probably cost more than your house. Here's another clue for you... turn over that Cisco router, and see where it was made. Why do you think the Pentagon is talking about replacing their Cisco products? (It's not just the "fake" Ciscos they are talking about replacing) BTW, Ciscos are just RISC chips. The power and flexibility comes from the IOS.

(Cisco does one thing better than all the other companies out there: If you have their maintenance agreement, they will talk you through a configuration issue, or send you out a new router/switch without question.)

and I control those in real time on seperate pc's running nothing but their control software.

No, you may MONITOR them in real time, but you don't "control" them in real time. Although you could telnet (via IP or Console) into them, or use another program to do so, all that does is change the running config, or the startup config, it is not "controlling them" as you have put it. (Besides, REAL network engineers use the CLI! ) A closer metaphore would be that it would be like adjusting the autopilot of a plane 2 degrees to starboard. The "control software" for Cisco routers run from the integrated or plugged-in flash-rom, and are stored as configuration files, and executable binaries. The most you could do is tell it to obtain it's IOS and startup config file from a TFTP server.

The other 3 are typical off the shelf routers to which each are in fact both firewalls and router combinations.

There are very, very few firewall/router combination devices, and I doubt whether you have them. A firewall with a DMZ is not a "router". Does your "firewall/router" understand RIP/OSPF/BGP, etc? Can it translate between those? Can you assign costs with routes? No? Then it's not a "router", it's as simple as that. It behaves more like a layer 3 switch, with Stateful Packet Inspection (or, in other words, A FIREWALL)

Then there is of course the OS firewalls...useless IMO.

You DO realize that the CISCO IOS is SOFTWARE, right? Believe me, I know it's software, because I've updated enough IOSs in my time.

Anyway what works for me is working just fine. And has been for 10 years. Obviously I am doing something right..and everyone else is not with all this cry wolf over some file getting into their systems.

This isn't about some file that "got into their systems". It's about a file PUT THERE by Symantec, and does weird things that it should not be doing. Guess what buddy? If you ran the affected software, you would have it too. Know why? BECAUSE YOU WOULD HAVE HAD TO OPEN THE OUTBOUND PORTS TO ALLOW SYMANTEC AV TO COMMUNICATE TO IT'S HOME SERVERS. If you were really cognizant of networks, as you claim to be, you would already know that.

One other thing to toot my own horn. I once (by mistake) did something with a 2600 that Cisco will tell you is impossible. Due to an IP subnet miscalculation, I had that 2600 ROUTING (not bridging) when both sides of the router contained the same subnet. The only thing it would not do was to allow incoming RDP traffic to a server, everything else worked fine, including internet browsing. (Had to break out an IP subnet calculator on that one, because I miscalculated it by hand.)

[edit on 12-3-2009 by sir_chancealot]

Originally posted by baahl
...An ethereal trace showing exactly what it is being sent to their server would be a good step in proving or debunking that it is doing something nefarious.
...

I must be getting slow in my old age. I never thought about running a packet sniffer and checking that out.

29 pages and noone bothers to disassemble pifts.exe..

Recoded Symantec crap already ; sick of it. Who cares. Delete it.

Flaming bag off sht is better than any security solution Symantec has to offer.

The most important question to be answered is this. If Symantec was so innocent as they and some on this thread claim, then please answer this question. What is so important about Symantec’s innocence that they had to lie???

Whether you believe their story about that executable file or not, which I’ll get into in a second, everyone who has followed this story from the beginning must admit Symantec flatass lied about when and why they started deleting and banning anyone who mentioned the word or subject PIFTS.EXE. What is so important about Symantec’s innocence that they had to lie?

Did they post other lies? Before I begin I want you to remember two things. One is the question above, and two, in government and in business… a lie can always be found in the truth and the truth can always be found in a lie.

Let’s Begin!

When this thread/subject/issue first began I was completely skeptical… That is why I stayed silent for so long. I was actually on the side of Symantec until they opened their mouths. From their very first official statement on this subject my BS o’meter started to beep. By the time I read their second statement to the media, on top of what they had posted on their website, my BS o’meter was going crazy… After spending twenty-four hours, looking at several links, and reading everything Symantec had to say about this issue, I can honesty say, in my opinion, they are lying… Which forced me to ask this simple question… What is so important about Symantec’s innocence that they have to lie? That simple question is hard for me to comprehend, so how deep does this little rabbit hole go? As far as I can tell there are only two possibilities that would allow for this kind of blatant lies/massive cover-up. If either of these possibilities are even remotely true, then this will be the biggest story to hit computers since the Internet… Maybe even bigger then that!

1 - As someone within this thread mentioned… What if this pifts.exe file is such a huge security breach that Symantec is completely afraid, because if word leaks out every single AV program they have is wide open. If that is true, that would surely explain the first lie… Even Symantec admits this pifts.exe attaches itself to some of the most important .DLL files in IE and Windows. Does that fact prove NAV06 - 07 and 360 (lie number two) can be compromised by non-certificate executable files. Not only that… this exe could point the way into every single program and database Symantec has. From the highest dollar/secure Government to Fortune 500 Company AV’s to the ones sold in Wal-Mart, Best Buy etc…

Now that would be important enough to start deleting any and all mention of this exe file, and then lie about when you started doing it, praying the story would die. Let alone the fact on their website they don’t even mention NAV 360 receiving that file, but they did in their second news release, and even explained how NAV 360 offers data backup to their recently purchased storage site. Now that is a heck of a qawinkadink! If you read the first ten pages of this thread you will see that is a fact. If you follow the news article links you will see they admit NAV 360 received this file as well. IF, that pifts.exe file was for how many NAV ‘06 and ‘07 people will clog up their servers, as they claim on their official website, then why was that exe file sent to NAV 360 because it still uses NAV ‘07 as its AV? If so, then for those who have NAV 360 I would think it would be important to let them know as well… Why did Symantec omit that information from their official website, an accident? Really… another one? Hmm!

(continue below)



[edit on 12-3-2009 by littlebunny]

reply to post by littlebunny


If this is a security issue that would explain the blackout that happened on more then one website.
“Hey Frank, dude we got a serious situation here. I need your help buddy… Please delete every post and every link or search result for pifts.exe . IF word gets about this file and the people learn about our weakness, the whole damn world could be infected or shut down.”

Now I don’t care who you are, if you heard something like that, you would help as quickly as possible. Just because these people are competitors doesn’t mean they aren’t friends. Now, for those of you who are still following this thread, and you posted a question on Symantec’s website before the spammers showed up and your post was still deleted. Go into your Internet Temp files and save all the index’s links for 3/9/09 until 3/10/09. You can easily find Symantec’s website within those indexes and post the time stamp along with your message here on ATS. This will prove the first lie!

IF the reason for the cover-up is that exe file is a massive bug, then this entire world could be in for a massive computer armageddon. All it will take is one 13 year old with to much time on his hands, or some other geek who does this simply because he can, Or North Korea, Iran, Russia, China, terrorists… You add the enemy or people with the skills and the money… And Symantec keeps this breach to themselves with this massive cover-up/lie… Holy mother of pearl… If you’re a government agency and your reading this, if you don’t put a bright white light to these people's faces and the SHTF, we are all in deep trouble. I mean for those of us who frequent this website, and all the stuff that is mentioned here… Could this simple little ol’ EXE cause the downfall of our world as we know it? REALLY?
Not to mention, if you’re a company that uses NAV software or just some person sitting at home and Symantec continues to lie and you keep this software on your computer(s)… Well then, good luck with that… I‘m just sayin!

Now obviously I could spend a lot more time on the above issue, however I believe my point on part 1 is made.

Number 2 - What if what has been posted all over the Internet is true. This pifts.exe file is a backdoor for data mining? Now this would be a monster story because its never been officially known about. However, how many of you really think there has not been secret addendums to the Patriot Act. I mean that act openly FORCES ISP’s to save every single customer’s emails for up to seven years. Now how many of you believe the government wouldn’t want to have a secret data mining program that grabbed information from all computers who have NAV software, whether they use that program or not?
Think about this… They can only have a few thousand people looking at people’s surfing habits at any given moment. However, if you could data mine and then put in hot words, like: anti-government, bomb making, anarchy, rebellion, etc… etc… What if ten thousand people matched all four of those simple data mining queries? Or your computer matched one or two.
If the government is just watching blindly, statistically, them ever finding a bad person is close to zero. However, if this secret program exists… now they have a serious way to find all who threaten them, perceived or real! And if Symantec called up Google and said, “holy crap Frank one of my employees accidentally leaked that secret pifts.exe file… If people find out every single one of us will cease to exist over night. delete everything about pifts.exe and all info showing any searches.” IF there is a forced secret government data mining program, now that could force action by every citizen the world over Not to mention that would force every other AV Company to keep their mouths shut instead of jumping all over this Symantec embarrassment.

(continue below)

[edit on 12-3-2009 by littlebunny]

reply to post by littlebunny


(final post)

This accidental leak would be huge, there would be a full court press by every government and AV agency, from all over the world, from every country, from every person who can get on the internet and down play this story! Sadly Symantec was not smart enough to tell the truth about a very simple fact. They deleted posts way before spammers got a hold of this story. So I must ask this question again…. What is so important about Symantec’s innocence that they had to lie?

Once again, I could spend a very long time talking about this issue at great length, posting web link after web link talking about how this exe file appears to data mine. If this is a government full court press, regardless, there will be people, or countries who will find out the truth, regardless of how hard the government and Symantec try to cover this up.
You think people are mad about these bailouts giving mulligan’s to extremely rich people, states, and other countries who made bad finical investments, while middle class and poor people are harassed to pay their bills on time or face massive penalties, like I don‘t know… losing their house… But these rich people get all their money back?
IF you think that had almost blown into a full scale rebellion. Let mom and pop, or Dave the truck driver, Sam the shop keeper, Harvey the milkman, Susan the small business owner find out their governments the world over sees and knows all they are doing, searching, and watching on the Internet at any damn time their government chooses, including live. How the heck do you think on top of everything else the governments are doing and have done around the world, how do you think that is gonna play out if that secret was ever leaked? I would say that is one heck of secret that would force all involved to get busy trying to cover it up as quickly as possible. And that would be big enough to lie, both of these issues would… I know I would try and cover this up pretty damn quick… What do you think?

Why did Symantec lie? Why? That bothers me to no end! Why did they omit information from their official website? Why did they give a different account to another online news agency? Read the first ten or fifteen pages to see exactly what I am talking about… Follow the links… If you posted on Symantec before the spammers showed up, post your time link here along with your valid question. I know Symantec thinks this story is starting to die down, however if you’re a journalist and you want to make your mark, I guarantee this could be the biggest story of your entire life. ATS this is what your site is all about… Something is horribly wrong. Follow the leads, follow the facts, follow the truth within the lies, and the lies inside the truth. And as you do, keep asking this one simple question. What is so important about Symantec’s innocence that they had to lie.

--Charles Marcello

UGH there seems to be a key logger in the code..odd
I think it may be stealing personal information and sending it to Africa
also the code was written by Mark Russinovich. If anyone cares enough to reasearch him and see his relation to symantec go right ahead.