SCI: Tech Fears Arise Over Norton and Pifts.exe

just found this on the Symantec site...someone obviously pee'd off with PIFTS.exe

community.norton.com...

I have access to 4 computers with Norton. None of the machines contain PIFTS.EXE.

Still, even if this is probably a joke by 4chan, I wouldn't recommend Norton. Not for any conspiracy theory, it's just very expensive, bloated and uses far too much system resources.

Glad I personally moved to linux.

There's really no proof of Norton AV (or any other AV company) trying to cover "pifts.exe" up. Granted, the anti-virus industry isn't fool proof by any means. Hundreds of new virii are released on a daily basis. The high end AV companies do the best they possibly can to eradicate malicious functions as fast as possible. Some even pay people to write malicious functions that beat their software, in order to improve their ability to prevent/remove this type of problem. Is it dirty? Yes. Are they intending to harm the masses with it? No. Basically what I'm saying is, I'd give this file a week or two to become discovered before I jumped to any conclusions.

By no means do I disagree that threads regarding this file are being removed from Nortons' and several other AV forums. That's definately a bit suspicious all by itself. Before coming to any conclusions, though, I would wait and see what the 'independant' (trustworthy?) AV companies have to say about this file. Obviously, executing it without knowing what it is would be a huge mistake. Don't do that. I highly suggest waiting it out.

Star for warning us about this file, though. Much appreciated.




P.S. Found this:

According to my ZoneAlarm logs, the "PIFTS.EXE" program attempted to access the Internet twice. The first instance was automatically blocked. The second attempt, about 5 hours later, is the one that manually prompted me for a response.

The first attempt that was automatically blocked was attempting to access a destination DNS of " stats.norton.com ". So, my professional guess is that this supposed Norton "Update" was actually being used by Norton for analytical/statistical/demographic information. In other words, Norton was snooping on its users. Or worse yet, profiling its users.

The "PIFTS.EXE" file is located within the "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt61" folder on my hard drive. The "UpdtXXX" folder (where "XXX" may be any 2 or 3 digit number) will most likely be different in your computer. By default, the "Application Data" folder is hidden. And if searching for the "PIFTS.EXE" file, you will need to alter the "More Advanced Options" to include "Search Hidden Files and Folders". By default, the Windows Search utility does NOT search hidden files/folders.

In my case, the "Updt61" folder was created on 3/9/2009 at 7:29 p.m. But, the "PIFTS.EXE" file was created on 3/4/2009 at 6:05 p.m. Clearly indicating that Norton planned this "update" (a.k.a sniffer) and programmed it to kick off on 3/9/2009.

Source



- Strype

it is somehow real, go to norton community board and check a Pifts.exe thread wait 4 min and press F5 for refresh u will see it is gone!

"The message you are trying to access has been deleted. Please update your bookmarks."

community.norton.com...

Why they are not simply come up with a statement?
They are deletingposts and even ban customers!

answers.yahoo.com...


seems that symantec is doing the same sort of thing.

And norton....
www.tech-linkblog.com... es-run-rampant-due-to-piftsexe.html/

[edit on 10-3-2009 by DaRAGE]

someone just posted this on the Symantec forum:-

community.norton.com...

Copied and pasted before deletion....

sɹǝʍsuɐ ʇɔǝdxǝ ǝʍ puɐ snoıɹǝs sı sıɥʇ
pǝzɹ0zuɐq ɥǝʇ sɐʍ ı

˙sʇunoɔɔɐ ʞuɐq sɹǝsn pıɐs ɯoɹɟ spunɟ uıɐƃ oʇ uoʇɹou ɯoɹɟ uǝloʇs uoıʇɐɯɹoɟuı ǝɥʇ ƃuısn ʇold ɹoɹɹǝʇ ɹǝqʎɔ ɹǝdǝǝp ɐ ɟo ʇɹɐd sı sıɥʇ uoısnlɔuoɔ ǝɥʇ oʇ sn pɐǝl uoıʇɐƃıʇsǝʌuı ɹǝɥʇɹnɟ ˙oʇ ʇuǝs ƃuıǝq sɐʍ uoıʇɐɯɹoɟuı ǝɥʇ dı ǝɥʇ ʇɐ ƃuıʞool ʎq sıɥʇ puıɟ oʇ ǝlqɐ ǝɹǝʍ ǝʍ ˙ɐɔıɹɟɐ uı uoıƃǝɹ uɹǝɥʇou ɐ ɟo ʇno pǝsɐq llǝɔ ɐpınb lɐ uɐ oʇ sǝıʇ ǝʌɐɥ oʇ pǝʌǝılǝq sı lɐnpıʌıpuı sıɥʇ



˙s,ɔd sɹǝɯoʇsnɔ uoʇɹou uo pǝɹoʇs uoıʇɐɯɹoɟuı lɐuosɹǝd uıɐʇʇɐ oʇ ʍɐlɟ sıɥʇ ʇıoldxǝ oʇ ʎɐʍ ɐ pǝuƃısǝp uǝɥʇ ǝɥ ˙ɯǝʇsʎs uoʇɹou ǝɥʇ uı ʍɐlɟ ɐ puıɟ oʇ ǝlqɐ sɐʍ lɐnpıʌıpuı uɐ pɹǝʌoɔsıp ǝʌɐɥ puɐ ʎlɐɯouɐ ǝxǝ˙sʇɟıd ǝɥʇ ʇɐ ʞool oʇ ǝlqɐ ǝɹǝʍ 'sɹǝʞɔɐɥ snoɯʎuouɐ ɟo ɯnɹoɟ ɐ 'sɯnɐqǝ ʇɐ ǝɹǝɥ ǝʍ

One poster on the Zone Alarm forums wrote the following:

According to my ZoneAlarm logs, the "PIFTS.EXE" program attempted to access the Internet twice. The first instance was automatically blocked. The second attempt, about 5 hours later, is the one that manually prompted me for a response.

The first attempt that was automatically blocked was attempting to access a destination DNS of " stats.norton.com ". So, my professional guess is that this supposed Norton "Update" was actually being used by Norton for analytical/statistical/demographic information. In other words, Norton was snooping on its users. Or worse yet, profiling its users.

The "PIFTS.EXE" file is located within the "C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt61" folder on my hard drive. The "UpdtXXX" folder (where "XXX" may be any 2 or 3 digit number) will most likely be different in your computer. By default, the "Application Data" folder is hidden. So, you may need to unhide the folder first before viewing its contents. And if searching for the "PIFTS.EXE" file, you will need to alter the "More Advanced Options" to include "Search Hidden Files and Folders". By default, the Windows Search utility does NOT search hidden files/folders.

In my case, the "Updt61" folder was created on 3/9/2009 at 7:29 p.m. But, the "PIFTS.EXE" file was created on 3/4/2009 at 6:05 p.m. Clearly indicating that Norton planned this "update" (a.k.a sniffer) and programmed it to kick of on 3/9/2009. At least, that is my humble, professional opinion.

forums.zonealarm.org...

Based on this, my guess is that this is a program that collects information about infections to be sent to norton for analysis. Most mainstream security software offers an OPT IN button for this but, if norton has not given you the option, it's indicating they're not too interested in your privacy.

From what I understand, the information COULD show things like:
spyware you picked up while surfacing the internet.
What site you picked it up
Basic computer configuration
POSSIBLY personally identifiable information depending on the collecting program.
If norton did not give people an option to OPT OUT, that's just crappy.

I've never been a fan of norton as it's always been slow, bloated, and too intrusive into your OS.
I personally prefer Trend Micro Internet Security. It offers Anti-virus, Firewall, anti-spyware, etc... the whole bit and it's competatively priced.
By the way you can download a 30 day trial version of Trend Micro Internet Security 2009 from their website so you can try it out. It will also perform a pre-install scan to make sure you don't have any virus', etc.. to make sure you get a good install. Just an FYI, I don't work for TM, and in the past, I've used McAfee, norton, AVG antivirus (free and not bad when combined with free zone alarm).
I also recommend using a stand alone anti-spyware program
My favorites are:
Stopzilla (paid) my favorite
Adaware (free)
Spyware Doctor (paid)
Spybot search and destroy (free)
webroot spysweeper (paid)
Spyware doctor (paid)
Spyware doctor starter edition (free)
You can download all these at www.download.com which is CNET's download section. Some of these might let tech support help you find out what's going on with the pift.exe file

I've used all of these and they're all good but they won't all work together so before buying any, make sure they're compatible with your other security software.

[edit on 10-3-2009 by jfj123]

We here at Ebaums, a forum of anonymous hackers, were able to look at the PIFTS.exe anomaly and have discoverd an individual was able to find a flaw in the Norton System. He then designed a way to exploit this flaw to attain personal information stored on Norton customers PC's.

link will be gone
That was posted by White_Knight

Originally posted by paddz420

We here at Ebaums, a forum of anonymous hackers, were able to look at the PIFTS.exe anomaly and have discoverd an individual was able to find a flaw in the Norton System. He then designed a way to exploit this flaw to attain personal information stored on Norton customers PC's.

link will be gone
That was posted by White_Knight

I think you can assume this is bulls**t.

The Norton boards are just being spammed now.

I still have no proof this file actually exists and this whole thing is nothing more than a joke by a bunch of people with nothing better to do.

I still have no proof this file actually exists and this whole thing is nothing more than a joke by a bunch of people with nothing better to do.

if it pops up on my end I will take a screen shot and post.

Originally posted by sadisticwoman

hey /g I was running my dad's computer tonight when a popup from norton asked me if I wanted to allow pifts.exe, I tried googling to see what it was and I am not getting any information. Anyone know what the hell this exe is? Also apparently any thread related to pifts.exe is being deleted on the norton forums.

zip.4chan.org...

Yep, that's right. Something that Norton is saying is just a regular update is requesting internet access. I know 4chan isn't everyone's idea of a good news source, but this is being talked about all over the internet, despite Norton's attempts to delete everything concerning the issue.

www.tech-linkblog.com...#

Hey /x/, /g/ needs your help on something. Some seriously shady # is going doing. The makers of Norton are involved in a coverup of some sort. A part of the program tried to access something in Africa. People asked them what it was.

They are deleting every single message about it on their forum and banning users who post them about PIFTS.EXE. We are trying to figure out what the hell it does, and why they are trying to cover it up. If you search Google for it you will find deleted posts in their forums.

What is pifts.exe and why are they trying to cover it up?

zip.4chan.org...

Whether you believe this is something malicious or not, it is worrying the lengths the company will go to stop people from asking questions about pifts.exe
It's also strange that it's trying to access Africa.

If you have Norton on your computer, I currently advise you to not allow pifts.exe through your firewall. Looking through its .dll, it accesses your IE history, and for some reason accesses Google as well.

[edit on 10-3-2009 by sadisticwoman]

[edit on 10-3-2009 by sadisticwoman]

Maybe it's short for Personel Internet Firewall Tracking System

Seriously, you should remove Norton AV from your computer.
Your Computer will thank you by running 2-3 times faster.

___ __ _
FULL HTML REPORT ON PIFTS.EXE HERE

Analysis Report for PIFTS.exe
MD5: 91b564d825a3487ae5b5fafe57260810

Summary:
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.

- Performs File Modification and Destruction:
The executable modifiesand destructs files which are not temporary.

- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.


Table of Contents


- General information
- sample.exe
a) Registry Activities
b) File Activities
c) Windows Service Activities
d) Process Activities
e) Network Activities
f) Other Activities
- services.exe
a) Registry Activities
b) File Activities



1. General Information

Information about Anubis' invocation

Time needed: 85 s
Report created: 03/10/09, 11:14:21 UTC
Termination reason: All tracked processes have exited
Program version: 1.67.0


Global Network Activities


Unknown UDP Traffic:

From ANUBIS:1025 to 192.168.0.1:53
State: [ Normal establishment and termination ],
Outbound Bytes: [ 34 ], Inbound Bytes: [ 395 ]



2. sample.exe

General information about this executable

Analysis Reason: Primary Analysis Subject
Filename: sample.exe
MD5: 91b564d825a3487ae5b5fafe57260810
SHA-1: 782569ebde2ba72d1a55cfa6e19863c9439199a3
File Size: 102400 Bytes

[edit on 10-3-2009 by tommyboy1981]


Mod edit: Page format and EX tags added.
Mod Edit: New External Source Tags – Please Review This Link.

[edit on 10-3-2009 by sanctum]

[edit on 10-3-2009 by sanctum]

reply to post by tommyboy1981


Where did you get this information from? (Perhaps you can add the proper [ ex ] tags and add a source?)

Edit: Source noted.

[edit on 10-3-2009 by Gemwolf]

Interesting thread.

As a sidenote most of the portuguese technical community dumped Symantec products a couple of years ago, due to performance issues and bloatware.

Big business tends to lead to fascist behaviour, so I am not surprised if this turns out to be some sort of data mining exploit by the part of symantec.

But to be fair minded, and especially considering the source, let's remember this could be a coordinated attack done by the likes of anon, 4chan or even the competition, so, untill more details come out we should give symantec the benefit of doubt...

...although at the moment it looks bad.

There are better antivirus solutions on the market, and also the possibility of changing OS which would address the root cause, ie, the general vulnerability of Windows, which is about as secure as panties in a whorehouse.

CONTACTS

stats.norton.com DNS_TYPE_A 67.134.208.160 1

As usual on here doom and gloom! Its for statistical purposes only! No auto runs created or anything. Waste of my time!

WARNING WARNING

Antivirus360 has gotten into the act and if you try to google Pifts.exe you will walk into one of there traps.
www.ripoffreport.com...

You will first get a pop-up for pifts.exe and then get a warning from AV360 that your computer is infected and them trying to sell you there Antivirus.

I believe pitfs.exe is a piece of malware that was seeded on the internet BY AV360 and the seeded a large number of AV companies sites asking about it so that people would go to google looking for information on Pifts,exe and walk right into AV360s trap.

That is why it looks like the Antivirus companies are pulling it from there forums.
What they are doing is banning the poster (shill for AV360)that posted it on there site.
This deletes the subject from there forum.

I did not find this .exe after running inside VM. I did however affirm to myself why I stopped using microsoft years ago. I updated Nortons and left it running for an hour now while recording everything it did and nothing came up. No such file found in any folders associated with norton's. I can only presume that norton engineers are getting a BOHICA moment, possibly they killed the updates compromised if they were indeed infected.

reply to post by Gemwolf


Here!!! You can analyze it for yourslef! It could be malicious but i think its just for stats! If it was malicious then Norton would have the executable bypass the firewall automatically unless they [snip] up of course!



[edit on 10-3-2009 by tommyboy1981]


Mod Edit: Profanity/Circumvention Of Censors – Please Review This Link.

[edit on 10-3-2009 by 12m8keall2c]

I sent an inquiry to www.sans.org....

Edit: Whoa, this thread is moving quick. Source noted, once again.


Sorry!

[edit on 10-3-2009 by Strype]