Big Stir Among the Internet About Symantec and PIFTS.exe File! Please Read!

[Oh hi there! REGISTER or Login to the forum, and join the discussion! (these annoying ads will be removed after your first post)]

Oh hi there! REGISTER or Login to the forum, and join the discussion!
(these annoying ads will be removed after your first post)

[Anarchology]

I've noticed a huge uproar on the internet about the software company Symantec, and this illusive file they say is an update known as "PIFT.exe. The major problem is that Symantec is behaving very oddly when it comes to the talks about this certain file. Any mention of this PIFT.exe file on their web forum results in the thread or post being deleted. What is going on?

After some reading a couple articles and discussion regarding this file (obviously not on Symantec's site), I've heard this PIFT.exe file may potentially be a keylogger that sends it's information to an IP address to, of all places, somewhere in Africa!

Below is some information I pulled from other sites about it. I'll post up more as more information is found. Feel free to give your two cents.

link
All of the sudden people around the World are seeing PIFTS.EXE popping up. Norton Antivirus is asking users if they want to accept it. Here what I do know:

Here’s some information I pulled from my Zone Alarm Logs. Does this make sense to anyone?
2009/03/09 18:26:44 — New Program — PIFTS.exe — Destination IP: 67.134.208.160:80 — outgoing — blocked — Destination: ping.lifecycle.norton.com


2009/03/09 18:47:52 — Program Access — PIFTS.exe — Destination IP: — outgoing — blocked — Destination:

2009/03/09 18:48:28 — Changed Program — Windows Explorer — 207.46.248.249.80 — outgoing — blocked — Destination: sa.windows.com
[Via The Symatec Forums]

This indicates that the program tried to change tactics to go out on the net.  I look a look for this and it is SwapDrive.  So this must be an update to Swapdrive but I am unsure as to why it pops up that way.  The other ip is in Africa or at least take the .80 out of the equation and it points to an Africa IP.    Although just recently Norton Decides to Delete that thread and people are really worried about why?  Is this a coverup of some sort because there is a exploit in the Wild that we don’t know about?  These are good questions that need to be answered.   Here is what one posted about this just after they deleted the forum thread:... continued


Update:
link
There is virtually no information on the internet yet regarding a mysterious program called PIFTS.exe, aside from what's posted on this blog. Symantec, makers of the bloated Norton Anti-Virus software, are deleting any mention of PIFTS.exe from their community forums.

The topic is being discussed at forums.zonealarm.org.

UPDATE (02:36 10 March 2009):
A google search for PIFTS.exe turns up a link to www.kanzlei.biz/uploads/tf/index.php?family-guy-season-7-episode-8/, a nefarious looking website that I suggest you not go to unless you know what you are doing. The site contains javascript which may be malicious. Here's a screen capture from one of the pages on that site.

UPDATE (03:56 10 March 2009):
In our comments, thepipermethod says the kanzlei.biz website is just mirroring key words from google trends, which at this time includes the terms "PIFTS" and "EXE" and that the site has no other relation to PIFTS.exe.

At zonealarm.org, one person reports talking with various representatives of Symantec for two hours without receiving any answer as to why inquiries posted on the Symantec forums were being deleted. The caller was told that PIFTS.exe is part of Symantec's update installation process, was denied any further information regarding the purpose of the file and was repeatedly transferred to a new representative when asking why inquiries about PIFTS.exe were being deleted from Symantec's forums.


4chan is now invading their forum
link
(PICTURE IS ATTACHED AT THE BOTTOM)




http://answers.yahoo.com/question/index?qid=20090309204126AAGTEsK

Anubis Report

http://en.wikipedia.org/wiki/Magic_Lantern_(software)

http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/

[Anarchology]

CLICK FOR THE FULL STORY

On March 9, 2009, Norton Internet Security users around the world encountered a suspicious message which indicated that an unsigned program, PIFTS.exe, was trying to connect to the Internet. Users quickly turned to Google where they only found other users looking for the same answers. Next they began posting questions on the official Norton Internet Security message board.

Here is where the situation quickly deteriorated. Forum moderators began pulling every single post which mentioned PIFTS or merely alluded to it. Symantec realized that they had a problem on their hands and hoped that they could keep things quiet long enough to prepare a fix. But what they failed to comprehend was that their actions to cover-up their mistake created a fertile breeding ground for misinformation and conspiracy theories. A search for "PIFTS" on their site gave but one response: "Did you mean: gifts?"

As is often the case, Symantec's cover-up was much worse than the actual crime. They could have prevented this disaster by posting an official statement immediately, not an entire day after the fact. To make matters worse, when Symantec employee Dave Cole posted the official response he tried to brush aside the mass deletion of legitimate posts regarding PIFTS with this statement:

     Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.
    Dave Cole
    Senior Director of Product Management
    Consumer Products and Solutions
    Symantec

I have documented just some of the legitimate posts which were deleted. Symantec committed a huge blunder here. They tried to justify their forum moderation techniques by citing out-of-control spamming. However, the spamming only began after word spread that Symantec had implemented a gag order on all things PIFTS. Had they clarified the problem from the beginning there would have been no stink of conspiracy. Instead they perpetuated the conspiracies and allowed bloggers and other message boards to take control of the conversation.

Unfortunately for Symantec the damage is done. An anti-virus and internet security company is built on trust and trust alone. Once users lose faith in a company it cannot exist (see Arthur Anderson). Only time will tell whether or not Symantec committed corporate suicide today. The lesson that other companies can learn from this is (a) if you make a mistake, admit it immediately and provide current information to your users and (b) allow discussions to exist on your message board or else the negative PR will hurt you more than the comments from unhappy users.

Sure, Symantec will fix the error but it won't matter to me. I've already uninstalled all of their products and will forever preach to others not to purchase Symantec products. Which brings me to my third lesson for other companies to learn from this: bad news travels much faster than good news.

If someone loses their job at Symantec I hope it's not the poor programmer who fried his brain with too much caffeine, but rather the executive who turned this mistake into a corporate disaster by failing to keep users informed and implementing a gag order.

that isn't the whole article above. Please visit the link to read how this poster ended up getting banned from Symantec's discussion forum for pressing the issue.

[Anarchology]

BELOW WAS PULLED FROM...
http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/
This indicates that the program tried to change tactics to go out on the net.  I look a look for this and it is SwapDrive.  So this must be an update to Swapdrive but I am unsure as to why it pops up that way.  The other ip is in Africa or at least take the .80 out of the equation and it points to an Africa IP.  (It looks to my mistake in that little part, “to error is human” Check out this  post about it)  Although just recently Norton Decides to Delete that thread and people are really worried about why?  Is this a cover up of some sort because there is a exploit in the Wild that we don’t know about?  These are good questions that need to be answered.   Here is what one posted about this just after they deleted the forum thread:



As you can see people are taking this deletion on the community forum thread very seriously, they know something is not right in Denmark.  I also want to point out this one:



I don’t know what Norton is up to but this is making me uneasy.  If they are worried about something that they can’t explain or don’t want to explain then they have made a mistake.  Some users are really worried now because Norton isn’t saying anything at all.  I love this post:



As you can see people see this and are worried, I didn’t want these to be taken offline like the first post so I make physical copies to put on my blog.  I want to prove to people that these actually existed.  I would advise people to run Hijackthis to see if you can figure out where this is coming from.  I don’t know why they would hide the truth, it will bite them in the end.  Anyone want to comment on this, I am quiet curious??

*UPDATE 12:01 am 03/10/09*

Seems Norton Deleted all post about PIFTS.EXe so I don’t know what happened but This will have to come out in the open sooner or later.  I just hope it isn’t going to be to late.

Update 12:15am 03/10/09*

Seems people have decided to go to the Zonealarm forums to discuss this:



You can visit there forums here.  I am getting more curious about this little situation and now tempted to stay up all night watching this!!

I also found this forum thread from BuckeyePlanet.  I am seeing more and more people blogging about this.  So this must be something REALLY big.  Keep sending me comments if you find anything else.  Don’t forget to add me on Twitter.

This looks interesting:
    Even more interestingly now, after posting a single post asking about PIFTS.exe, which was deleted, and a subsequent post to another forum asking about the deleted posts, which got deleted, I’ve now been blocked from creating new posts or replies on the Norton forums. They really don’t want to talk about whatever this was.

    And doubly interesting — or perhaps not, who knows — not sure if this is standard practice at Symantic or what, but opening the PIFTS.exe in a hex editor shows a large section of the end of the file consists only of “PADDINGXX” repeated over and over. I’ve got some background in programming and can’t think of a good reason why you would need padding like that on a legitimate executable. However, if an executable in an update has been compromised it may require padding such as that to match the original executable’s file size or something. But that’s just pointless conspiracy theorizing that likely has no basis. It would be nice though to hear from Norton about what the **bleep** this thing is.
    [Via Zonealarm Forum]

I don’t know but I suspecting an update went wrong at least from all the indications I’m seeing.

I will say you have several options available to you:

    * You could get a Free Anti-virus Software
    * You could run without An Anti-virus (Not a great option, wouldn’t suggest it)
    * You could do nothing and wait. (My recommendation until I find out the the full story!!)

Please let’s not start a pandemic over this, I am however worried because Norton has yet to release any public information about this?  I will update as needed but please people let’s not go to OVERBOARD on this!!

Google Get’s rid of the Trend “PIFTS.EXE, no long there.  It was there last night.  Hmm even more questions and answers? (Click image to view it!!)