The PIFTS.exe Conspiracy

Written by Brett Callow on March 11, 2009

On Monday, users of Norton Internet Security and Norton Antivirus started seeing firewall alerts warning them that an executable named PIFTS.exe was attempting to connect to stats.norton.com. Conspiracy theories immediately started to spread like wildfire. What exactly was PIFTS? Were Symantec surreptitiously monitoring their users? Or was this something much more sinister?

The discussion raged on sites such as Slashdot and on forums across the internet. Symantec fanned the flames when they started deleting questions about PIFTS which had been posted to their web forum without explanation. What did they have to hide? To make matters worse, users searching for information on PIFTS found that they were being directed to malicious websites. Brian Krebs of the Washington Post noted:

          Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Symantec finally issued a statement which confirmed what had happened:

          Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

What about the deleted posts? Symantec explained that too:

          There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation.  At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

O LAWD IM CHOKIN ON PIFTS PLZ HALP
OH GOD YOU GOT CHOCOLATE IN MY PIFTS
If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

So, it seems that it was all due to human error; an innocent mistake. PFTS did not perform any malicious activity and the web forum posts were not deleted as part of a corporate cover-up. But, boy, could Symantec have handled this any more badly? Why didn’t they issue a statement sooner? Had they done so, they could have been spared a considerable amount of bad publicity – and spared their users from being lured to malicious websites in a hunt for information which should have been made available by Symantec. And will users really be comforted to know that PFTS could have phoned-home without their knowledge had the executable been signed? Hmmm …

What’s also noteworthy about this incident is the speed with which the malicious websites appeared. If only Symantec had been as fast to respond as the bad guys!

About Brett Callow

Brett Callow is a technical consultant and writer based in the West Coast of Vancouver Island. Brett has worked with Microsoft Corporation and other leading international technology companies, has authored numerous white papers, articles, training packages and has been extensively involved in creating domains and content for a number of industry-standard certifcation examinations.

Comments

Pingback: Scareware Scammers Monetize Conficker

  • (required)
  • (required)