A topic where most of the discussion took place was eventually deleted, and as more users came in search of answers, more topics were started, and in turn, deleted. Some users were even banned from posting as a result of inquiries about PIFTS.EXE. As people searched for answers, news of PIFTS.EXE spread across the internet, and certain tech-savvy users began picking the program apart, in an attempt to unlock its true purpose.
Discussions on websites like slashdot.org were breaking out, and eventually it was discovered that PIFTS.EXE actually was a data-mining program, which was recording information from Internet Explorer history files, Temporary Internet Files, and Google Desktop, and then transmitting it back to a few sources. Upon this discovery, numerous conspiracy theories were spawned, since all the while, any topic so much as mentioning PIFTS.EXE was being swept under the table on the Norton forums within minutes.
As Norton continued to delete topics and ban users on their forums, other websites containing information about PIFTS.EXE such as digg.com started suddenly pulling their pages, and provided further fuel for the conspiracy theorists. Eventually 4chan.org caught word of PIFTS.EXE, and realized there was a massive cover-up taking place, and decided to raid the Norton forums, and spam endlessly in an attempt to force Norton to cough up the truth. Finally, after roughly a day and a half, Director of Symantec Security response Dave Cole released this statement on their forums:
Hi everyone,
Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.
There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:
- O LAWD IM CHOKIN ON PIFTS PLZ HALP
- OH GOD YOU GOT CHOCOLATE IN MY PIFTS
- If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
- IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
- PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
- I LOVE MY PIFTS.EXE
Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.
I'd like to point out a few glaring flaws in this statement, which have arroused further contempt on the Norton forums, now that they have opened back up.
In Dave Cole's statement, he said "At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals.". This may be true, but at the origin of the problem, only the first users to be notified of PIFTS.exe were on the forums asking questions. No spam was taking place, and many users have since vouched for it. The matter was simply being swept under the table, and absolutely no reason was being given.
He also went on to say "Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.". Again, this is simply false. From the VERY FIRST TOPIC that was spawned about PIFTS.exe, Symantec began to delete any mention of the problem. Long, long before 4chan.org's infamous /b/ decided to raid their forums, this was taking place. In fact, the spam and abuse of Norton's forums was a DIRECT result of legitimate topics being deleted. If that hadn't taken place to begin with, there would have been no reason for contempt. If a simple response had been given, and the situation handled, none of this would have occured.
Dave Cole is obviously using the spam that occured as a scapegoat to cover up what really happened. It was an attempt to minimize damage, for those who weren't around originally when all the legitimate questions were being wiped off the face of the earth (or internet, at least). This is undeniable, and many people witnessed it as it went down. Take note in how his statement focuses heavily on the spam, and barely addresses the issue, and still makes no mention of what PIFTS.exe actually is.
Around the time the statement was released, Norton's forums were also opened back up for discussion, with one new topic called "PIFTS.EXE discussion thread" which users were asked to use in regards to the issue. I used this opportunity to raise a great deal of legitimate questions that I'm sure many people have been asking, under the username Anshar. After poking around on the internet a bit, I found this statement:
Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.
"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.
As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.
"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."
Again, Dave Cole seems to lie through his teeth regarding why posts were deleted. As I mentioned before, every single post regarding PIFTS.exe was deleted, long before spam started. So either way, despite the claim that "There was no attempt at secrecy here", had PIFTS.exe actually been signed, and had the firewalls not detected it, all the users of NIS would right now be having their information logged and stored, without warning.
Dave also mentioned in the first statement that "The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution.". So a patch that was so vital in helping to gather Norton information about operating systems, and program upgrades, is suddenly pulled from further distribution? Either that, or it got ironed out, and is now able to run in secrecy. I smell something fishy.
So let me get this straight. In order to "determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.", Symantec needs to log cookies, temp files, Internet Explorer information, and record searches in google and google desktop? I suppose a simple survey just isn't sufficient for such a large undertaking, right? Or even just a simple script to detect which operating system the user is running on? NIS 2009 is capable of that on its own.
It has been more than 24 hours since the intial release of PIFTS.exe, and so far, things are still up in the air. I decided to start this blog just as a way to log accurate information as to what took place, as it took place, since it seems that many other sources are vanishing from the Internet. Despite that things are still unclear, a few things are certain: Symantec have invested lots of time in trying to cover this up, no matter how you want to slice it. They have taken a painfully long time in providing answers to their "valued" customers, and STILL have yet to really clear things up. I was eventually given a response from a forum administrator named Tim Lopez, and in it, he said "I just wanted to let everyone know that it's not being ignored. In fact, this is a big deal to us and we're doing everything we can to get things squared away.". If days later, this is the result of "everything" they can do to get things squared away, I must say that your trust in Symantec is misplaced. Boycott Symantec products, regardless of what has occured here. They have proven that they are not trustworthy, and have also proven that they have no qualms about lying through their teeth, and abusing their customers.
Expect further updates as the story progresses.
http://www.partyvan.info/wiki/Pifts
ReplyDelete(about the file and all info known about it)
http://encyclopediadramatica.com/User:Hometownrog/Pifts.exe
(about /b/'s raid)
I can tell you that this is nothing but the result of an over active imagination. 'Alex' here is a well known nut job who is determined to create yet another conspiracy where there is none. It was obviously just a group of spammers trying to disrupt the poor people trying to use the symantec forum.
ReplyDeleteI'm a well-known nut job? That's interesting considering this is the first blog I've ever made, and I generally don't care about stuff that happens on the internet. If you talk to anyone who was around when pifts.exe first started up on computers, you'd know that all posts regarding pifts.exe were being deleted long before people began spamming. If anyone is nuts here it must be you.
ReplyDeleteOK 'Alex'. You keep thinking that. Fortunately most people aren't so mistrusting of Symantec and know that this was just a small lack of communication incident.
ReplyDeleteHaha so you seriously think you know who I am do you? Why 'Alex' in quotations? Don't think it's my real name? Why don't you show me who you think I actually am then, if I'm so infamous. Also, why don't you do a bit of searching around on the net. I'm not the only one whose trust has been battered. In fact, in the official PIFTS.EXE discussion thread on the Norton website, virtually every single user who has posted all day has said that they no longer trust the company, and that they have uninstalled all their Norton products.
ReplyDelete>Fortunately most people aren't so mistrusting of Symantec and know that this was just a small lack of communication incident.
ReplyDeleteFIXED** Unfortunately most people aren't so mistrusting of Symantec
>a small lack of communication incident.
12 hours with moderaters deleting threads and banning users without a single mod thread saying stop, stfu, or this file is safe no worried. That's not a lack of communication imo someone was told to deleted these, the deleted stopped for a while for early morning eastern tiem but then when sun rise came the mods can back online a deleted everything, all legit posts. /b/ didn't enter the scene until later in the morning. imo Alex has is story as close to the truth I wittnessed. Other blogs and news sites are much more trusting in Symantec and just link the offical statement to there articles and saying, 'That's all folk, move along.' It kinda bothers me.
Thanks for the support Finfantasy :). Glad to see someone realizes me efforts. I don't want them to go to waste. I want people to be well informed.
ReplyDeleteAccording to this http://www.theregister.co.uk/2009/03/11/symantec_social_engineering_attack/
ReplyDeletethey just mimick what symantec said except that the note you posted from symantec said there were no malicious links... interesting.
That's why I use AVG.
ReplyDeleteHaha yeah, it's clever that so many people realized lots of users would be searching for pifts.exe, and decided to start giving people viruses and crap over fake websites. Lucky for us this isn't one of them :P
ReplyDeleteThis is what I wrote on Norton forum couple of minutes ago:
ReplyDelete""Well. I'm running my own IT technology & computer business. Me and my company management have made decision to stop using any Symantec product on any company computers without exceptions and this decision is created in the form of decree. So, starting from today, not a single computer in my company will not be allowed to use any sort of Symantec or Symantec related products. What's more, we made decision to recommend to all our customers, that rely on us, to do the same and today we have sent them e-mail, where we have explained the reasons why we have made this decision. I was personally formed the team of 5 company experts on that field and they confirmed the claims that pifts.exe accessing the files that it shouldn't access in and under any circumstances.
Computer business is risky job and information stored on some company computers can be and must be considered in many cases highly sensitive. So every out-of-range access to computer files (even a single one), will and have to be treated as threat (not potential but real) and attack. Our lawyers are in a process of analyzing is there any law implications on this kind of threat that came from Symantec and we will make our decision according to their report!!!
I'm so disappointed with Symantec decision to do something like this and what's more how Symantec handle the situation after that, so I made decision to write this post by my own!!!!!
Message Edited by DontUseNAV-NIS on 03-11-2009 07:13 AM ""
I don't think that I have to comment this!!!
interesting that the owners of the forum couldn't block IPs - hardly a recommendation for the bloatware is it?
ReplyDelete