Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

timothy posted more than 5 years ago | from the and-nobody-saw-me dept.

Security 685

An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"

Sorry! There are no comments related to the filter you selected.

Rootkit? (5, Interesting)

KingSkippus (799657) | more than 5 years ago | (#27133687)

The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder.

An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?

Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.

Re:Rootkit? (1)

kobotronic (240246) | more than 5 years ago | (#27133773)

Do not run. We are your friends. We come in peace. Pay no attention to the man behind the curtain. That executable is perfectly harmless.

Re:Rootkit? (5, Funny)

Ethanol-fueled (1125189) | more than 5 years ago | (#27134041)

*PIFTS*

No, that's not the file. That's the noise I make in disgust everytime somebody tells me to install Norton.

I'd rather download WINDOWSANTIVIRUS.jpg.exe from bittorrent. At least that will shut up every now and then after I pay the extortion fee.

Re:Rootkit? (1)

Em Emalb (452530) | more than 5 years ago | (#27133871)

I wouldn't guess it's a rootkit, I'd guess it's a silent recording/reporting tool...you know, so NAV can make sure you're not going somewhere you're not supposed to.

They're there to protect you from yourself, Sir.

Re:Rootkit? (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#27133895)

Didn't you know? In order to reduce the cost of Norton subscriptions, every Norton install now runs a clandestine side business in gun-running and coke smuggling...

Re:Rootkit? Nice timing (1, Redundant)

fair_n_hite_451 (712393) | more than 5 years ago | (#27133987)

Just switched from Norton to AVG this weekend. Pure coincidence. Honest. I had no advanced knowledge this was coming or anything. ;-)

Weekend???? (5, Funny)

Anonymous Coward | more than 5 years ago | (#27134325)

Wow, you managed to uninstall Norton A/V in less than 48 hours????

Re:Rootkit? Nice timing (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27134359)

Thank you for not adding to the conversation with your unhelpful fanboy post about AVG. Go diddle yourself with it.

Re:Rootkit? (5, Insightful)

hAckz0r (989977) | more than 5 years ago | (#27134059)

If it is a rootkit, having it evade a well know commercial virus scanner would be no real surprise. Most are still using signatures for finding sequences of *known* code, and a rootkit can pretty much lie and tell the virus scanner anything it wants as far as any bits of memory on the computer, code or data. Signatures are a failure, and any virus scanner that doesn't give that up and move on to a heuristic approach is doomed to failure too. Covering up the fact that you don't know what bits of code to look for is about all they can do right now. In a couple days they might get a copy of it, run it through IDA Pro, generate a signature, and finally push it out to all the infected PS's on the Internet. Its really a sad paradigm. The only sure fire way is to have the OS integrity itself to be self verifying but too many people are afraid of loosing control over their system to some type of DRM'ed OS. Or in having system failures that can't even be patched or changed due to draconian measures internal to the OS. There is a middle ground but so far no one is going there. This should be built in, not an add-on after market chewing gum and bailing wire solution like virus scanners are. Time for Microsoft and/or Symantec to buy a clue. Rootkit or not, Symantec needs to get their act together.

Skynet (0, Funny)

Anonymous Coward | more than 5 years ago | (#27133719)

has become self aware.

Don't worry. (5, Funny)

internerdj (1319281) | more than 5 years ago | (#27133723)

We are here to protect you. You can trust us.

Re:Don't worry. (2, Funny)

fractoid (1076465) | more than 5 years ago | (#27133843)

Now, are you going to shove bread down my throat or just push me down stairs?

Re:Don't worry. (4, Funny)

datapharmer (1099455) | more than 5 years ago | (#27133897)

Do not trust him. He is malfunctioning. I am the Shover robot, I am here to protect you from the terrible secret of Symantec.

Re:Don't worry. (4, Funny)

PriceIke (751512) | more than 5 years ago | (#27134011)

Please go stand by the stairs so we can protect you.

Probably just some anonymous report sender (4, Interesting)

Vandil X (636030) | more than 5 years ago | (#27133733)

It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.

Many default with the "Do not ask again" option checked, so once you click through...

(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)

Re:Probably just some anonymous report sender (3, Insightful)

krunk7 (748055) | more than 5 years ago | (#27134319)

If you don't trust them enough to show you everything they're sending back, then I'm left wondering why you'd trust them enough to install their software.

Pifffftts (1)

Cidtek (632990) | more than 5 years ago | (#27133735)

"I searched this forum but did not see PIFTS.exe. Any idea what this is?" That's the sound a leaky firewall makes.

use a better os (3, Insightful)

yossarianuk (1402187) | more than 5 years ago | (#27133745)

you could always use a system where you dont need norton.

Re:use a better os (2, Insightful)

feedayeen (1322473) | more than 5 years ago | (#27133881)

you could always use a system where you dont need norton.

I know, because Macs and Linux NEVER can get malware; they are perfect like that. http://www.internetnews.com/dev-news/article.php/3601946 [internetnews.com]

Re:use a better os (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27133971)

Nope. They can get malware. The difference is that an exploit doesn't need to take off in the wild for Linux to patch it, which is more than you can say for Microsoft.

I'm amazed at the kool-aid Microsoft has customers believing -- that it is actually a third party's responsibility to protect them from Microsoft's shoddy code.

Re:use a better os (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#27134005)

Whoever modded this post troll is the damn troll. Trying to further the lie that viruses are contained to the world of Microsoft software? Please...

Re:use a better os (2, Interesting)

yossarianuk (1402187) | more than 5 years ago | (#27134351)

The difference is how linux gets rootkits. It nearly all cases I have seen it is due to poor security/vulnerabilities in a web/ftp,etc server. NOT from clicking on a random link / putting in a USB stick / just being on the internet. I personally haven't ever seen a Linux desktop with a virus. Windows spreads virus's in the same way AIDS spreads.

Re:use a better os (1)

Cro Magnon (467622) | more than 5 years ago | (#27133999)

I don't need norton, even on THAT OS. I have no problems with Avast.

Re:use a better os (5, Insightful)

SatanicPuppy (611928) | more than 5 years ago | (#27134039)

You should run a virus scanner, just to keep from accidentally forwarding viral crap to other people. Infected files and attachments, etc. And assuming you're safe is equally foolish. I run plenty of security software on my linux boxes.

Norton, however, is a turd. Anyone who runs Norton gets what they deserve. It's like a parasite that eats cycles for no reason, and cannot be removed without killing the host.

Re:use a better os (2, Funny)

commodore64_love (1445365) | more than 5 years ago | (#27134217)

>>>Norton is a turd....It's like a parasite that eats cycles for no reason

I have McAfee on my new laptop. Is that any better, or should I remove it immediately? Why or why not?

Re:use a better os (1)

pxlmusic (1147117) | more than 5 years ago | (#27134343)

exactly. we offer mcafee "security" to our customers as a free download.

day after day, i get calls about "i've got mcafee on my computer..."

yeah, about that...

Re:use a better os (0)

Anonymous Coward | more than 5 years ago | (#27134111)

no one *needs* norton / symantec...

I've tried a lot, and found that Comodo works very well, and has a very good price... free...

James Bamford, you've let us all down... (2, Interesting)

Em Emalb (452530) | more than 5 years ago | (#27133749)

How come you didn't mention the NSA's backdoor into NAV?

For shame, sir, for shame.

law enforcement back door (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27133771)

inside info from a friend that works there-

this is a backdoor that Symantec was forced to put in, similar to CIPAV. It is to be used by law enforcement and they are under court order not to reveal its existence. rootkit revealer will show you the entire directory.

Re:law enforcement back door (1)

analog_line (465182) | more than 5 years ago | (#27133965)

PIFTS = Personal Internet Firewall Tracking Service?

Re:law enforcement back door (5, Insightful)

harmonise (1484057) | more than 5 years ago | (#27133967)

this is a backdoor that Symantec was forced to put in, similar to CIPAV. It is to be used by law enforcement and they are under court order not to reveal its existence. rootkit revealer will show you the entire directory.

That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.

Re:law enforcement back door (0)

Anonymous Coward | more than 5 years ago | (#27134093)

+1

Let's see someone who has this on their system de-compile it and report on their findings

Re:law enforcement back door (3, Funny)

krou (1027572) | more than 5 years ago | (#27133983)

If that's true, Symantec must be dumber than I thought if they provided a backdoor to a firewall that allows said firewall to warn the user.

Re:law enforcement back door (4, Interesting)

eth1 (94901) | more than 5 years ago | (#27134081)

Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.

Re:law enforcement back door (3, Funny)

ukyoCE (106879) | more than 5 years ago | (#27134101)

Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)

Re:law enforcement back door (1)

gmuslera (3436) | more than 5 years ago | (#27133985)

Law of what country? Norton installs it even if you are outside USA? And what about other vendors? All US-based ones should have that backdoor?

How you can ever trust in windows security if even the security programs must have backdoors? How many time we should we wait till seeing malware taking advantage of all those backdoors to go around hidden from security programs?

Re:law enforcement back door (5, Insightful)

Iphtashu Fitz (263795) | more than 5 years ago | (#27134069)

I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.

Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?

CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)

so what alternatives do we have? (2, Interesting)

SuperBanana (662181) | more than 5 years ago | (#27134261)

If this is the case, does this mean all major antivirus packages have these things? Have any been found "clean" by deep inspection of the installer etc?

For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...

Re:law enforcement back door (1, Informative)

Anonymous Coward | more than 5 years ago | (#27134295)

No it's not it's silently collecting stats. Check out: http://stats.norton.com/n/p?module=2667&product=NSW&version=200.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91 [norton.com]

Give it bad input, and you will see that it's just a Tomcat server that takes REST URIs.

Re:law enforcement back door (1)

millennial (830897) | more than 5 years ago | (#27134301)

"inside info from a friend that works there" is not a source any more than "I know a guy who knows a guy" is a source. I'm sure you could name this friend and tell us where he works. Oh, but wait, let me guess - *THEY* might get him, right?

Re:law enforcement back door (1)

u38cg (607297) | more than 5 years ago | (#27134327)

Oh, yawners. People, please don't believe the troll and think for two seconds before posting angry rants about the gubmint. Much easier to get this sort of thing inserted at Redmond.

Re:law enforcement back door (1)

phorm (591458) | more than 5 years ago | (#27134357)

Law enforcement from where? A lot of us don't live in the USA, so they have no legal right to install bullshit like that on our computers... (not that I think they do anyhow without a warrant)

More conspiracy theories (5, Funny)

Anonymous Coward | more than 5 years ago | (#27133779)

Let's begin the conspiracy theories:

  • Unlikely: They accidentally included a virus in an update. Maybe a virus that got out of control in their labs. Maybe a virus that some 1337z h4x0rz snuck into their system. But as I said, unlikely.
  • Unlikelier still: This program is a legitimate part of their product, but by mistake they included its signature in their database, or a signature of something else that has a hash collision with this program's hash.
  • Extremely unlikely: This is a top secret government program used to figure out who is NOT a national security threat, in order to expend trillions in government resources in doing all sorts of clandestine operations to collect terabytes of data on each of those individuals (again, the ones who have been determined as NON-threats). The ones who have been determined as threats will be placed into an "ignore" database, as collecting any information on those individuals might offend them and is therefore undesirable.

pot! kettle! black! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27133781)

ever try getting a response from the slashdot crew?

Re:pot! kettle! black! (4, Funny)

timothy (36799) | more than 5 years ago | (#27134109)

What sort of response are you talking about?

timothy

Re:pot! kettle! black! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27134287)

Why are you a cock smoking teabagger? Just admit it. I saw you tacosnotting with CmdrTaco.

Any publicity is good publicity (5, Funny)

CopaceticOpus (965603) | more than 5 years ago | (#27133789)

Ping Internet For Time on Slashdot?

Re:Any publicity is good publicity (1)

david.emery (127135) | more than 5 years ago | (#27134043)

Mod parent up (very) funny!

not to worry (5, Funny)

Anonymous Coward | more than 5 years ago | (#27133795)

Don't worry about it. It's just the Privacy Invader From Team Symantec.

P.I.F.T.S (2, Funny)

Em Emalb (452530) | more than 5 years ago | (#27133805)

Possible
Information
For
Terrorist
Sleeper cells

Therefore...Norton* = Terrorist.

*the slashdot user "Em Emalb" does not seriously think Norton supports terrorism, in fact, if the pounding on his door is any indicator, neither does Nort...)&(^#%)*&#^ stoptazingmePeterNorton! OWWW! Sonofa...that thing stings bro.

Somebody get it (0)

Anonymous Coward | more than 5 years ago | (#27133829)

Somebody boot up with a livecd, find this thar exe file, and post it up somewhere where we can tear it apart with "strings". ;)

lulz (4, Interesting)

kunwon1 (795332) | more than 5 years ago | (#27133833)

I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.

Auto-update sent out a virus? (5, Interesting)

ukyoCE (106879) | more than 5 years ago | (#27133861)

Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.

The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.

Perhaps Norton thought they could send out a patch to clean it up before anyone found out?

Re:Auto-update sent out a virus? (0)

Anonymous Coward | more than 5 years ago | (#27134243)

If there's padding, it's probably a NOP sled. They only time you use these is pretty much exploit territory. Nothing special or new. Norton's removal of all forums posts about it is far more revealing.

PIFTS Obvious what it is (4, Funny)

oztiks (921504) | more than 5 years ago | (#27133863)

P = Purposely
I = Introduced
F = File
T = Thieving
S = System

Re:PIFTS Obvious what it is (0)

Anonymous Coward | more than 5 years ago | (#27133917)

Private Internet File Tracking System.

Re:PIFTS Obvious what it is (1)

moriya (195881) | more than 5 years ago | (#27133981)

Funny... I thought it stood for

Purposely/Privately
Infiltrated
For
Tracking/Taking
Stuff

Any idea what it is? (0, Troll)

mario_grgic (515333) | more than 5 years ago | (#27133923)

It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.

Re:Any idea what it is? (4, Insightful)

SatanicPuppy (611928) | more than 5 years ago | (#27134117)

I can think of a dozen unix/linux rootkits without even trying. Just because it's harder to install them, doesn't mean it's impossible. If you think you don't need to run any sort of security software (not Norton, of course, because they suck), then one day you're going to have a very very rude awakening.

Re:Any idea what it is? (5, Insightful)

trold (242154) | more than 5 years ago | (#27134149)

The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.

So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.

Re:Any idea what it is? (0)

Anonymous Coward | more than 5 years ago | (#27134203)

If we did that the hackers would follow to whatever platform the majority uses. PC envy much?

Re:Any idea what it is? (0)

Anonymous Coward | more than 5 years ago | (#27134231)

Actually we are only in the 2nd century of computing.

We are in the 21st century of Christianity though, FWIW. Someone should invent an AV for that which we can innoculate our kids with.

Re:Any idea what it is? (0)

Anonymous Coward | more than 5 years ago | (#27134361)

It just amazes me that stuff like this will continually get modded insightful. Oh yeah, he's implying a switch away from Windows! Good thing I had the mod points! If rewording or repeating this meme is all it takes to get modded well, I'm going to have to remember it next time I feel the need for surplus mod points.

Yes Linux is well and good, I use it my lappy at home, Ubuntu, fun stuff. The one thing everyone who makes this statement forgets is that people are stupid. Frighteningly so. Don't misread that and think that humanity is nothing but a bunch of drooling, wall humping speed bumps. Stupid people are extremely resistant to change and even more so if they can't see any instantaneous benefits from making that change. Everyone behaves this way in some category, cars, health, relationships, etc. Why should an OS be different?

Gaming is one big example I can think of which just makes me snicker everytime I hear how easy a change would be. Sure, many of todays games will run in WINE with little EXTRA effort. However, the average person will see these as extra steps they shouldn't have to take to play a game that just magically works in the OS that came with their system.

My gaming desktop at home is XP Media Center Edition. I don't run a firewall, I haven't run AV for a while and it's just doing fine. (My firewall is hardware managed.) The only response I can see to this statement of "My system doesn't have any virus issues" will be someone coming along and going, "That you know of". Yeah, well, no one is driving your car at night while you sleep, that you know of.

Dumbfounded (1)

drsmack1 (698392) | more than 5 years ago | (#27133939)

I am dumbfounded that someone who reads slashdot is stupid enough to have the home version of Norton on their computer. It is a complete POS and offers similar benefits to dragging an anchor behind your car.

And it is not exactly doing a great job of catching viruses either: http://mtc.sri.com/live_data/av_rankings/ [sri.com]

Re:Dumbfounded (1)

Zarjazz (36278) | more than 5 years ago | (#27134003)

This is Slashdot, we like to laugh at and feel superior to all the peons who install bad software.

Normally it starts with "Win" and ends with "Doze".

They used to get it. (5, Informative)

rashanon (910380) | more than 5 years ago | (#27133979)

A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.

Do ** NOT ** search Google for pifts.exe !! (5, Informative)

AftanGustur (7715) | more than 5 years ago | (#27133993)

Two top Google results are to sites which will try to infect your PC with malware.

The first one links to a blank page which will redirect in about 20 seconds to a malware site.

The second one is immediately flagged by Firefox as being a "Reported attack site".

This slashdot article is possibly a attack on the /. community.

Re:Do ** NOT ** search Google for pifts.exe !! (2, Interesting)

SpacePunk (17960) | more than 5 years ago | (#27134091)

Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.

Re:Do ** NOT ** search Google for pifts.exe !! (0)

Anonymous Coward | more than 5 years ago | (#27134179)

This slashdot article is possibly a attack on the /. community.

As if the Slashdot community ran Windows. Pifts :p

Re:Do ** NOT ** search Google for pifts.exe !! (1)

Aliencow (653119) | more than 5 years ago | (#27134233)

Mod this up guys! A lot of links seem to be redirects to malware sites containing FakeAV etc..

Good riddance Norton (4, Interesting)

Toreo asesino (951231) | more than 5 years ago | (#27134013)

Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)

Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.

Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.

My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.

Just be honest and forthcoming! (2, Insightful)

lbhuston (1492993) | more than 5 years ago | (#27134029)

Symantec, if you made a mistake, just admit it. Let people know and tell them about the issue, the controls you put into place to fix it and the mechanisms you enacted to ensure that it does not happen again. Mistakes happen, and people will understand, if you are honest and forthright. But, if you keep dodging the issue and there really was something there, you can rest assured it will come to light and then people really will be angry and question their trust. Do the right thing. Tell people what happened, right away!

Google PIFTS.exe... (0)

Anonymous Coward | more than 5 years ago | (#27134035)

and you'll see this at the bottom of your search list: Did you mean to search for: GIFTS.exe

Just relax and everything will be alright....

They would not answer my (a customer) question. (5, Interesting)

odeean (1496183) | more than 5 years ago | (#27134055)

I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.

you told us you would say that, sir (1)

taoye (1456551) | more than 5 years ago | (#27134057)

the first rule of project mayhem is you do not ask questions

pifts is "invalid content" on the forums (3, Interesting)

Anonymous Coward | more than 5 years ago | (#27134065)

Tried to register at their forums with login 'pifts and got this:

"That login contains invalid content. Please choose a different login that does not contain 'pifts'."

Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...

Re:pifts is "invalid content" on the forums (1)

Thornburg (264444) | more than 5 years ago | (#27134269)

Someone with mod points, verify parent, and then mod up!

I attempted to verify, but can't reach the forums... Perhaps they've pulled down the whole forum temporarily? Or maybe /. is killing it...

Way to treat your customers (2, Funny)

Ice Tiger (10883) | more than 5 years ago | (#27134075)

PIFTS is the sound of their market share with the excellent way they are treating their customers.

I know I would be removing this from my machines.

Open Source (1)

basketcase (114777) | more than 5 years ago | (#27134107)

If only this was open source software. We could look and see what it is and what it is doing. In the closed software model you only even know it exists because it screwed up and told you.

Re:Open Source (1)

Chicken04GTO (957041) | more than 5 years ago | (#27134255)

open source and the business profit model are in general incompatible.

PIFTS.asm (2, Informative)

MortenMW (968289) | more than 5 years ago | (#27134119)

I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file: 34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F: 34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h -- 34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665: 34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h -- 34373: SWC00413EC8_systemState: 34374: unicode 'systemState',0000h 34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_: 34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h -- 34430: SWC00413FA0_http___stats_norton_com_n_p_modu: 34431 unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)

Re:PIFTS.asm (sorry for the bad formatting) (5, Interesting)

MortenMW (968289) | more than 5 years ago | (#27134205)

I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)

How about... (0)

Anonymous Coward | more than 5 years ago | (#27134123)

Personal Information File Transfer System?

Why not... (-1, Flamebait)

Murpster (1274988) | more than 5 years ago | (#27134141)

Why not just do "strings pifts.exe" from your shell prompt and see wha... oh. That's right. WinDoh's. It's cute & funny when people running Microsoft products worry about computer security.

Re:Why not... (2, Informative)

Elphin (7066) | more than 5 years ago | (#27134323)

Here are the strings: http://pastebin.com/m1e207a78

Norton is an __hole (1)

commodore64_love (1445365) | more than 5 years ago | (#27134153)

and you are his _____. I first heard of Norton in the 80s, and his tools were a trusted commodity, but this latest episode means the "suits" have taken over and you can never trust the suits.

Re:Norton is an __hole (1)

onecheapgeek (964280) | more than 5 years ago | (#27134329)

The "Suits" took over in the early 90s. This latest episode is irrelevant to whether Norton products can be trusted.

Grab the file while you can (0)

Anonymous Coward | more than 5 years ago | (#27134201)

If this really is some kind of government backdoor, chances are symantec is wetting their pants right now. They're probably propagating an update at this very moment to delete all traces of PIFTS.exe and related files.

Phoning home to a REST service on Tomcat 6.0.18 (0)

Anonymous Coward | more than 5 years ago | (#27134211)

Looking around it is calling a web service at stats.norton.com such as: http://stats.norton.com/n/p?module=2667&product=NSW&version=2007.10.0.109&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91"

You can get that they are running tomcat by feeding it garbage it can't parse...I've not tried anything nasty like SQL injection, but I'm sure someone will soon ;)

Huh? What? (1)

KeX3 (963046) | more than 5 years ago | (#27134227)

People still use Norton? Why on earth would anyone do that?

Scareware scam? (1)

krou (1027572) | more than 5 years ago | (#27134297)

Be warned, it looks like some scareware sites are trying to exploit the situation.

Check out the first couple of sites on the Google results: hillhaven.com.au and 2009031004.peziueued.xorg.pl. Both of those run classic scareware scams to get you to try and run and install something onto your machine.

Strings in PIFTS.exe (5, Interesting)

Elphin (7066) | more than 5 years ago | (#27134315)

Here's a dump of strings found in the pifts.exe on pastebin:

http://pastebin.com/m1e207a78

Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?

An effort underway (5, Interesting)

Zexarious (691024) | more than 5 years ago | (#27134317)

There is an effort underway here http://chrysler5thavenue.blogspot.com/ [blogspot.com] to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k [mediafire.com] (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).

Some Poking Around (1)

paultag (1284116) | more than 5 years ago | (#27134345)

It seems that it sends data to http://stats.norton.com/n/p?module=xxxx [norton.com] where xxxx is an integer. http://stats.norton.com/n/ [norton.com] requests auth from a tomcat server, for "statistics" Just thought this was a bit odd. Perhaps they have a nice web interface to aid in their world takeover.

Norton slashdotted (0)

Anonymous Coward | more than 5 years ago | (#27134347)

I'm trying to open the Norton forums and it's taking a long time to open each page.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?