Update: PIFTS identified. A comment points us to this page, which explains that the “Product Information Framework Trouble Shooter” is “a diagnostic patch that we put out for the older products” and was put out without being properly signed by Symantec, prompting the firewall response. As for the shady forum deletions? They say a 4chan spammer got into the system around the same time. Ver-r-r-y convenient, but they do say their policy is not to delete. Mystery solved, everybody! Go home!
I have no idea what is going on, but my buddy Mike just sent this to me and I’m hoping to spread the word. Sometime yesterday he received a Norton Program Alert saying, “PIFTS is attempting to access the Internet.” Being the nerd that he is, he did an nslookup on the IP and it came back to SwapDrive, which is a Symantec owned company. He then posted on the Norton/Symantec forums, but had his threads deleted and account terminated.
I was following a thread here regarding an error message that many people got today and the thread was deleted. So here is a new thread.
I have an expired version of Norton Internet Security. Today I received a program alert which said:
PIFTS is attempting to access the Internet
Program: PIFTS.exe
Path: C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt652\
Date/Time: 3/9/2009 5:58 PMThis appears to be a Norton file of some sort. However, Norton does not offer any information about this file.
Here is what I gathered so far:
-If you block this file’s access to the internet then it might not be able to provide any updates to your Norton.
-It might be related to another company that Symantec recently acquired.If Norton or Symantec or anyone else can provide any info that would be greatly appreciated!!
I clicked the submit button but immediately I got this error message:
We’re sorry, but you have been banned from using this site.
I suspected that they banned me because my password bashed Norton. So I created a new account called WhatsPIFTS and posted the same message again.
A few minutes later I reloaded my post and got this message:
The message you are trying to access has been deleted. Please update your bookmarks.
Shortly thereafter my new account was banned!
Does anyone have any info on this? According to Google Trends, pifts.exe was the 23rd most commonly searched term yesterday. Conspiracy or coincidence.
You can check out Mike’s ordeal over at Freebase.
Interesting… I suspect that you weren’t banned because of your password. They are most likely (they better be) encrypted so nobody would ever know it except you.
http://www.google.co.za/search?hl=en&safe=off&q=+site:community.norton.com+%22PIFTS.EXE%22
it’s called being banned because you broke the TOS and signed up again and your ip probably was the same so they knew it was you doing it again.
Norton sucks anyways, switch over to Panda or Nod.
Delete all your symantec stuff, reformat even.
You do not want your system to be infected with pifts if you care anything for privacy and freedom.
off topic:
no symantec installed no problem.
besides anti viruses are useless for personal usage PC.
Symantec is moving to Mountain View because their Cupertino office is infected with the PIFTS virus.
Apparently one of the employees brought it back to Cupertino after staying at a roach motel in NYC.
I’ve published some more information about the PIFTS and Symantec mystery on my blog at sophos.com
http://www.sophos.com/blogs/gc/g/2009/03/10/mystery-symantec-pifts/
Hope that is useful.
Regards
Graham Cluley, senior technology consultant, Sophos
That’s f-ed up
Old and busted: Heavy-handed tactics; new hotness: Streisand Effect.
I dont know but this is funny:
Pifts.exe – Norton Internet Security / Norton AntiVirus – Norton …Mar 10, 2009 … pifts pifts pifts pifts pifts pifts pifts pifts pifts. pifts pifts pifts pifts pifts pifts pifts pifts pifts. pifts pifts pifts pifts pifts …
community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=38252 – 5 hours ago – Similar pages -
why would anybody with a tech background use norton willingly?
While it’s probably nothing. Watching the Panic Meme spread is hilarious.
As crazy as this sounds this is all a hoax being spread by certain websites that are known for spreading such hoax’s and raiding websites like Haboo Hotel. Everyone is now talking about ONE person having had this firewall notice tell them that a certain file was trying to get online to access some website – classic friend of a friend thing.
It then spread through various social websites by users of the popular hoaxing, hacking and other online mischief sites (sites like eBaums). From these sites the conspiracy spread from site to site. Most were posted on sites that allows anyone to make posts – Twitter, Facebook, MySpace, Reddit, Fark, Digg and many others.
Tom Tom:
Can I get your router’s ADMIN username/password?
I mean, there is no reason to fear me. All that talk about hackers trying to get in your PC is just “all a hoax being spread by certain websites that are known for spreading such hoax’s and raiding websites like Haboo Hotel”
I mean, it is only ONE person reporting that someone tried to hack their network. Nobody else is doing it. So, the rest of the 6 billion people of Earth can feel safe.
So, give me your access info, so I can go in and defrag your HDD, clean your IE cache and uninstall that software you have with the nude dancer in your desktop. That consumes a LOT of resources, dude!!!
It’s far more than a single person, man. Thousands if not more. It came in through Norton, and phones home. They delete any thread posted about it immediately and ban the account of the poster. Now, does that sound like a normal way to handle things to you?
Plenty of info and discussion over at Slashdot
Ehhhh….one work for you, EH: SARCASM!!!
I’m sorry you don’t get it. Most lower level lifeforms don’t
I will pray for you to the Great White Handkerchief so He will wipe you clean once and for all…
Gesundheit!
Just another reason not to use Norton in my opinion.
Symantec is not allowing ANY posting for ANY topic on their corp blog.
Search PIFTS in their blog and the ONLY one post is:
Protection update for Mac? / Norton for Mac
Are you going to port pifts to OSX soon. I really hope so! I hope this protection update is
They will be selling A LOT of NetBackup and Backup Exec now……..
PIFTS –> Personal Information Full Transfer System
This is real disturbing as I would expect a company like Norton to have more ethics. Opening the back door of your users to related companies is sinister! I use Trend Micro and have been mostly happy except had troubles with Google Chrome & firewall over AT&T 3G data card.
That’s why people seriously need to consider what kind of antivirus they are using. This gives us another very reason not to use Symantec products.
after going through this blog http://www.sophos.com/blogs/gc/
regarding PIFTS.EXE I am getting more anxious. For this time I strongly suggest ever one to abandon the use of Symantec products this might be the only working solution to this problem as of now.
This is one of the reasons why I use Apple products only. No viruses. No Anti-Virus installs to update the software. No bullshit.
oh give it a rest, it has more to do with the measly 6% market share. That or nobody wants access to a bunch of self portrait pictures, no matter how ‘trendy’ they might be.
“No viruses. No Anti-Virus installs to update the software. No bullshit.”
No brains needed as well.
umm… unix core? lol. i’m going out on a limb, but you’re windows?
so was i, hardcore, for over 15 years. macs are superior in almost every way (with exception to business software). and mac techies are almost as geeky as linux techies. windows techies (like i used to be) are problem solvers. likely, because they need to be.
(ps. and yes, i’m so friggen’ cool i don’t need to use caps… and i’m a mac.)
btw, my mac boots windows xp-sp3 within vmware in 14 seconds, and it works flawlessly. (that is, the mac side of the equation, lol.)
“Apple encourages the widespread use of multiple anti-virus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”
They might not be as malicious as some windows viruses, but maybe if you apple people installed an antivirus you may find some out there. If nobody puts it on nobody knows they exist.
PIF == an old name for “Program Information File”
What it actually does is prepare a GET request to “stats.norton.com/n/p?module=2667″ with a bunch of version info attached.
It’s just a one URL ping to let Norton know what their users are running. Here’s some of what it includes:
“product=%s” — Product name like “NCO”, “N360″, “NSW”, “NIS”, etc, for your Norton version.
“&version=%s” — The version of the product.
Version info for PifEng.dll
Version info for PollMgr.dll
Some of the info in SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine and SOFTWARE\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46} (specifically, ’systemState’ and ‘version’).
Also some timestamps and maybe a log (I think depending on which switches are set on execution?).
It’s harmless and common, and it’s sad that ebaumsworld has to spread rumors like this just for the attention.
If its harmless and common, why wouldn’t symantec own up to it instead of deleting threads and banning users with no warning and no comunicae?
Looking at the binary
PIFTS.exe
I see this
“Pervasive Intrusion For Transmitting Sensitive credentials”
;-)
I smell something fishy. They should have responded and cleared things up right in the forum now they have a much larger mess to clean up.
Mac anyone??
No thanks.
Come on. Mac’s are sweet! I love my aluminum macbook pro. You know you want to try it…
Use linux it’s cheaper lol
I’ll try it out… be breaking it over your thick head.
Linux anyone? I could tear your MAC a new one security-wise.
They’ve bought Google as well! Trying Google Trends with PIFTS.exe I get this:
Bad Request
Your client has issued a malformed or illegal request.
See it here:
http://tinypic.com/view.php?pic=2rztcar&s=5
Shopped.
trolled trolled trolled, all of you have been epically TROLLED.
While we’re on the topic of antivirus, Mcafee routinely pops up banner ads on your computer and solicits you to buy more stuff from them. This is extremely annoying and a time waster, especially since I’ve already paid them. I wish these companies would just do a virus scan and get out of the way. Care more about your customers and stop thinking about the short term bottom line.
Look into getting Kaspersky
One of the writers for one of my websites works for them. I wonder if he will spill the beans on what he knows? Personally I have always thought they sucked.
Such companies should be sued and taught a lesson…. ????
Anybody????
We don’t even know what PIFTS does. It’s probably nothing. Although Symanetc’s behavior on their forums is weird I don’t think that we should assume that some malicious coverup has been revealed until we have more information.
http://www.theregister.co.uk/2009/03/10/norton_pifts_mystery/
http://isc.sans.org/diary.html?storyid=5992
Ugh – I can’t stand Norton products. AVG has been working great for my clients for a long time now. I routinely uninstall Norton, install AVG, and clean up a lot of crap that Norton missed. Ugh…
There seems a sad inevitability about this…
I’m afraid the malware authors are now jumping onboard the PIFTS.EXE bandwagon, and are poisoning search engine results in an attempt to infect innocent computer users.
See the evidence for yourself at
http://www.sophos.com/blogs/gc/g/2009/03/10/malware-authors-jump-piftsexe-bandwagon/
Well done anon.
Ok I decided to get to the bottom of this as much as I could, I went to the live chat and here is my conversation:
Live chat with Symantec:
Mr. Network Admin has entered room.
Srinivasan has entered room.
Srinivasan(Tue Mar 10 2009 12:39:23 GMT-0700 (PDT))>
You are being transferred to Srinivasan.
Mr. Network Admin(Tue Mar 10 2009 12:39:37 GMT-0700 (PDT))>
hello
Srinivasan(Tue Mar 10 2009 12:39:30 GMT-0700 (PDT))>
Welcome to Norton Support, my name is Srinivasan , Can I please have a minute to go through the information you have provided?
Srinivasan(Tue Mar 10 2009 12:40:23 GMT-0700 (PDT))>
Hai Network Admin, how are you doing today ?
Mr. Network Admin(Tue Mar 10 2009 12:40:42 GMT-0700 (PDT))>
good, and yourself?
Srinivasan(Tue Mar 10 2009 12:40:39 GMT-0700 (PDT))>
Thanks, your case number is 492008875 , please write this down.
Srinivasan(Tue Mar 10 2009 12:40:53 GMT-0700 (PDT))>
Please don’t follow this now – but just in case we get disconnected for any reason, you can follow these instructions to reconnect to me. You’ll need to do this within a couple of minutes of being disconnected:
Can you please make a note of these instructions.
1) Open up Internet Explorer and then go to http://www.norton.com/connectme
2) Enter 217438.
3) Click on [Submit]
Mr. Network Admin(Tue Mar 10 2009 12:42:31 GMT-0700 (PDT))>
I am a network Administrator at a small private school and run corporate anti-virus on all our systems. I have been getting a few calls from people over the last couple days calling asking me what pfits.exe was. After doing some research I have been oddly perplexed with the attempt to limit the information on this. So I’m curious what is pifts.exe?
Srinivasan(Tue Mar 10 2009 12:44:38 GMT-0700 (PDT))>
Hi Network Admin, I see that you’re having problems with you get low risk pop up PIFTS.EXE from Norton and you want to know about that ?
Srinivasan(Tue Mar 10 2009 12:45:01 GMT-0700 (PDT))>
May I know the name of the Norton product ?
Mr. Network Admin(Tue Mar 10 2009 12:46:24 GMT-0700 (PDT))>
Norton Internet Security is the product. I personally haven’t experienced, but several of my users have, and any attempt to post on the forums about pifts.exe removes my topic.
Srinivasan(Tue Mar 10 2009 12:48:46 GMT-0700 (PDT))>
Can I put you on hold for 2 or 3 minutes while I look into this for you?
Mr. Network Admin(Tue Mar 10 2009 12:49:12 GMT-0700 (PDT))>
sure
Srinivasan(Tue Mar 10 2009 12:51:01 GMT-0700 (PDT))>
Thanks for holding.
Mr. Network Admin(Tue Mar 10 2009 12:51:13 GMT-0700 (PDT))>
np
Srinivasan(Tue Mar 10 2009 12:52:09 GMT-0700 (PDT))>
Network Admin, as I have no information regarding this message. I will transfer this chat session to my supervisor so that they can give more information .
Mr. Network Admin(Tue Mar 10 2009 12:52:38 GMT-0700 (PDT))>
alright, ty
Srinivasan(Tue Mar 10 2009 12:52:53 GMT-0700 (PDT))>
Shall I transfer the chat session to my supervisor now ?
Mr. Network Admin(Tue Mar 10 2009 12:53:22 GMT-0700 (PDT))>
please
Srinivasan(Tue Mar 10 2009 12:54:25 GMT-0700 (PDT))>
Please wait, while the issue is escalated to another analyst.
Srinivasan has left room.
Ajmal has entered room.
Ajmal(Tue Mar 10 2009 13:07:25 GMT-0700 (PDT))>
Hi Network Admin, my name is Ajmal, your case has been escalated to me, can I have a minute to go through the details of this case?
Mr. Network Admin(Tue Mar 10 2009 13:07:55 GMT-0700 (PDT))>
sure
Ajmal(Tue Mar 10 2009 13:08:05 GMT-0700 (PDT))>
Thanks, your case number is 492008875 , please write this down.
Ajmal(Tue Mar 10 2009 13:08:17 GMT-0700 (PDT))>
Please don’t follow this now – but just in case we get disconnected for any reason, you can follow these instructions to reconnect to me.. You’ll need to do this within a couple of minutes of being disconnected:
Can you please make a note of these instructions.
1) Open up Internet Explorer and then go to http://www.norton.com/connectme
2) Enter the [Connection Code] 269557
3) Click on [Submit]
Ajmal(Tue Mar 10 2009 13:09:45 GMT-0700 (PDT))>
I see that you’re having problems with PIFTS.exe file?
Mr. Network Admin(Tue Mar 10 2009 13:10:41 GMT-0700 (PDT))>
I’ve had a couple users ask me if they should accept this, and after trying to find out what pifts.exe I have been dumbfounded so I’m just trying to figure out what it is
Mr. Network Admin(Tue Mar 10 2009 13:11:25 GMT-0700 (PDT))>
What does Pifts.exe do?
Ajmal(Tue Mar 10 2009 13:11:31 GMT-0700 (PDT))>
I can connect to your computer and work to resolve the problem from here, while you sit back and watch.
This is a secure connection, and I won’t access any personal information on your computer. If at any point you are concerned, you can disconnect me by clicking on the [End] button. I’d encourage you to view the troubleshooting from your end.
If you are okay with this, please proceed with the following steps
1. Click on the link http://www.norton.com/link
2. Enter in the 6 digit pin code 303417 and click [Connect to technician].
3. You will then see a prompt to accept the connection. Click on [Yes]. It may take a few minutes for me to connect.
Mr. Network Admin(Tue Mar 10 2009 13:11:59 GMT-0700 (PDT))>
it’s not on my computer, I’m running on a mac. this is a problem my users have.
Mr. Network Admin(Tue Mar 10 2009 13:12:26 GMT-0700 (PDT))>
pifts.exe is a file that is part of the norton product, what does it do?
Ajmal(Tue Mar 10 2009 13:14:32 GMT-0700 (PDT))>
Network Admin, we are aware of this issue and we will be releasing a patch very soon that will be delivered via LiveUpdate and the issue will be resolved.
Mr. Network Admin(Tue Mar 10 2009 13:14:54 GMT-0700 (PDT))>
that’s great but what does the file do?
Ajmal(Tue Mar 10 2009 13:16:56 GMT-0700 (PDT))>
I apologize Network Admin, that file is just an update that is corrupt and only the Programming Team knows what the exact function of the file is. We have informed them about this issue and they will be releasing a patch very soon.
Mr. Network Admin(Tue Mar 10 2009 13:18:41 GMT-0700 (PDT))>
so it’s a corrupted update file? is it part of the virus definitions or is it an update for the running program?
Mr. Network Admin(Tue Mar 10 2009 13:19:07 GMT-0700 (PDT))>
and until the update comes out should we allow pifts.exe to access the internet or not?
Ajmal(Tue Mar 10 2009 13:19:41 GMT-0700 (PDT))>
I have no information about that file, Network Admin and I suggest that you block the file from accessing the internet.
Mr. Network Admin(Tue Mar 10 2009 13:20:33 GMT-0700 (PDT))>
If I create a topic thread on the forums for this file will it simply be deleted again?
Ajmal(Tue Mar 10 2009 13:28:34 GMT-0700 (PDT))>
No Network Admin, that file is just a diagnostic patch and yes, you may post on the forums.
Ajmal(Tue Mar 10 2009 13:29:09 GMT-0700 (PDT))>
I just checked out the forum and the explanation has been updated. The link is http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119&jump=true‘
Ajmal(Tue Mar 10 2009 13:29:24 GMT-0700 (PDT))>
I apologize, the correct link is http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119&jump=true
Mr. Network Admin(Tue Mar 10 2009 13:30:08 GMT-0700 (PDT))>
Thank you very much!
“Ajmal(Tue Mar 10 2009 13:19:41 GMT-0700 (PDT))>
I have no information about that file, Network Admin and I suggest that you block the file from accessing the internet”
Is this a Symantec rep admitting they got pwned?
I mean, they wouldn’t tell you to block the file unless they knew it:
a) was completely critical to the functioning of Norton, and blocking it would put you at risk, or
b) was a(n internally) known-hacked Norton component. Most 0-days these days are known to target antivirus apps first to prevent successful updates.
I’d like to believe its nothing big, but why have Norton/Symantec swept it under the rug? Even Google had it in their top 100 searches on Mar 10, but they have since mysteriously been taken off the list.
Seriously, http://www.google.com/trends/hottrends
and go to select date, then select yesterday, when things just started blowing up. And there it is, on http://www.google.com/trends/hottrends?sa=X&date=2009-3-9
at number 50, before the mayhem begun.
And oh yeah, plenty of spam sites now targeting nervous users.
A simple explanation from Norton/Symantec would have sorted it. Although theres a chance it may not be from them.
I wonder what happened to those that “accepted” the change. Any word from people on that end.
nice, an explaination finally.
http://www.thetechherald.com/article.php/200911/3179/Symantec-explains-PIFTS-and-debunks-conspiracy-theories-Update
sort of kills the mood a bit though i guess.
Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.
There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communication…
[17:14] #pifts 57 [+ntr] Norton accidentally an entire BBS Boards=locked, fags=told. http://tinyurl.com/bl8bvx | #help for help with registering + custom vhosts | http://partyvan.info/wiki/Pifts | CURRENT GOAL: PISS OFF PEOPLE @ SYMANTEC, NEGITIVELY AFFECT IT’S STOCK | This is not a /b/ channel; /b/ shit=b& | some fix the colors
Didn’t you know? I’ve known this for years! Norton is the worst computer virus that you can get!
OH GOD HOW DID PIFTS GET HERE AM NOT GOOD WITH COMPUTAR.
But in more serious news, I don’t actually know what I had to say. Hopefully this madness resolves soon. Or hopefully it’s already resolved and I’m late to the party.
Where’d all the punch go?
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
Symantec wont have access to your password, they probably only save a hash of it. Symantec has been covering up this whole PIFTS thing for a few days now, and various other websites have been taking down information on it. Smells awfully like a coverup.
I dont see why anyone would choose to use norton in the first place, it is extremely bloated, bogs down the system, and does not pick up viruses that a free antivirus scanner does. Oh, and its a real bastard to uninstall.
Best solution is to never go anywhere near norton.
Norton is lying. People have asked about PIFTS for months and they’ve always banned everyone who asked. Only after 4chan got involved did this get attention.
PIFTS is a rootkit they use to spy on your computer and give to google, the US government, and some server in Africa.
The entire situation has to be pretty unnerving for Norton users. The chat session text above demonstrates the utter lack of control that Norton has about the issue. I guess nobody can be totally realiant on a single anti-virus provider for all their needs; that’s why I use This digital security site.