Thursday, March 12, 2009

My final post in the official PIFTS.EXE topic on Norton forums.

Just figured I'd copy it over here as a final point to think on. :)



Nice post, StupidForumName. This will be my final input in this topic, as myself and others have pointed out, I've only had to repeat myself countless times for quite a while.



StupidForumName, and ahubble, you were both there when the original incident happened, as was I. We all witnessed the deletion of posts regarding PIFTS.EXE long before any spam started, and we have been told that we are the liars. All the Norton lackeys have banded together near the end of this topic to make an attempt at belittling those who weren't satisfied with the answers, and take control of the thread. At this point, as I have previously noted, we will never get the answer we are searching for. Administrators have stated not only that the deletion was due to spam, but also that the REASON it took so long to provide paying customers with any useful information on PIFTS.EXE, was because they had to deal with "spam bot attack". All of us know that's simply not true, but no other answer will ever be supplied.



All I have to say is this: Norton knows they have made a huge mistake, but admitting it will only cause them further harm, since the situation in their eyes has already been solved, and it will eventually die off. Damage control, damage control, damage control. That is all this has ever been since the start. They won't admit it, but they'll know very well how true it is.



For those still reading, use some common sense. When PIFTS.EXE first surfaced, naturally the only people coming here would be legitimate users seeking information about what PIFTS.EXE was. What Norton is trying to get us to believe, is that the "spam bot attack" (it wasn't bots) was just purely random, and happened to occur at the perfect time to disrupt their attempt at helping the legitimate customers. This simply is not true, there are multiple people who have confirmed it is not true, and besides that, it makes NO SENSE to anyone who can employ basic logic. It seems obvious that the spam was a result of rising suspicion, since so many real customers were having their topics buried, and accounts deleted.



So, rather than listen to me, OR listen to Norton, listen to yourself in all this. What makes sense to you? Did Norton betray your trust in attempt to protect their image? Or did a super-human spam bot magically appear at just the right time to be made a scapegoat of, right when PIFTS.EXE surfaced on peoples computers. I think the answer is clear.



Take care, all ;)

A final note

Well, after scanning through the Norton forums 3 days later, it seems that Norton's lackeys have all banded together to thwart the efforts of those seeking truth. They continuously reference to official statements, and try to find ways to belittle those who aren't satisfied with the explanations that have been given. At one point, an administrator even claimed that those who were saying topics got deleted long before the spam started were the ones who were lying, and not them. Although the topic has continued on, I for one am finished with it. The evasiveness of the Norton team will never be solved, it seems, and now, I must leave you with one final question:

Do you trust a company who can allow a security breach of such MASSIVE scale escalate for 3 days without really giving their "valued" customers any sort of concrete responses? I just read a recent post claiming that the "spam bot attack" was the reason for why they had a hard time pulling information together for the users, but as most of us know, the spam attack stopped, and the official PIFTS.EXE thread continued on for days, still with no real attention being put into it. There is simply no excuse, and they have all been given specific instructions on how to coordinate their lies in a way that seems believable.

I'll leave this blog up for anyone seeking information. Take care, folks.

Wednesday, March 11, 2009

Two days after PIFTS.EXE


Buy Panda Global Protection 2009 for $58.47.



I woke up today and decided to check out the Norton forums official PIFTS.EXE topic, in search of what new developments have taken place. I was treated with for the most part, the reiteration of points that myself and others have made countless times throughout the course of the topic. It is sad to see a few sheep are still able to argue with such blunt evidence regarding the deletion of honest topics, and the obvious coverup.

There was one very useful post providing some insight into what actions PIFTS.EXE actually takes, and I'd like to post it here:

An admin over at The Bleeping Computer clarifies why the other content is being accessed:


Unfortunately, most people here do not understand programming. The reason why this program opens up so many of these folders is not because they are scraping the contents, but because the libraries and modules they are using to access the Internet automatically access them. I monitored all file access while running the program, and yes they did access the folders, but did not query the contents.

This is just conspiracy theory fodder at its best.

---------------------------------------------------------------------------------------------------------

Slightly reassuring, right? I have only these things to say:

Symantec will most likely not provide us any more information, since they will assume that for the most part, the damage is done. They've "pulled" the patch, despite that it was apparently necessary enough to include in the update at one point. Only a limited number of users will ever hear about it.

They've posted an official statement, and most people will read that, and be satisfied. The information in the official PIFTS.EXE topic will most likely be passed right by.

If the pifts.exe process WAS necessary for them to determine all that information about which clients needed upgrading, upon installation of windows 7 (This, when you think about it, really makes absolutely no sense), then chances are they have remodeled the file so that it now runs in secrecy, and did not actually "pull" the patch.

Beyond that, even if the file is not scraping information from all these "conspicuous" places that it now has access to, who's to say that in the future, new updates might make use of those new access points that Symantec has, on all the users hit by the "blunder" ? Consider upon this, friends :P.

Even if PIFTS.EXE accesses these sensitive areas of your computer as a result of .net framework, or whatever it is it needs to do to "phone home", this at least proves that Norton has no qualms about sending you new executable files that access your computer in unexplained ways, with no "release notes", unsigned, and are not too worried about leaving the issue open for debate for days until really providing any insight whatsoever. They also have no qualms about deleting paying customers topics and posts whenever a support issue comes up, as well as banning them, merely as the result of trying to cover up their own mistake. Not a reassuring way to treat customers, if you ask me.

Tuesday, March 10, 2009

Streisand Effect

Well, it seems that Symantec are done posting information for today, and there is not much to report aside from the fact that many posters seem to be wary now of how badly Symantec has dropped the ball, and have decided to put their trust into a different Antivirus suite. I'd like to mention, anyway, that I am in no way a conspiracy theorist, and I am not necessarily searching for problems in what Symantec does. I am merely looking for the truth, and the things I find happen to be negative. For those who aren't yet informed, feel free to read from the first post onward. It's titled Pifts.exe :P.

Buy Panda Global Protection 2009 for $58.47.

A new statement has been released, this time regarding exactly what PIFTS.EXE does. Here is the direct statement:

"PIFTS.exe or Product Information Framework Troubleshooter


This entry was created to answer the following key questions around PIFTS.exe:


- What is PIFTS.exe?
- What is the function of PIFTS.exe?
- What information does PIFTS.exe collect?


Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).


LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.


For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.


LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).


Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.


To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.


Product Information Framework Troubleshooter (PIFTS) executable details:


File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810


The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.


PIFTS.EXE does the following:


- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.


No additional information is collected, no personal information is collected, and no system modifications are made."



Now, if you run an analysis of PIFTS.EXE on http://anubis.iseclab.org/, it gives you this warning:


Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web

It seems contradictory, does it not? "No system modifications are made". Yet it changes the security settings of Internet Explorer?

Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

What's this? More changes to your system? Even if I don't know for exactly what reasons these changes are made, they still contradict the claim that "No additional information is collected, no personal information is collected, and no system modifications are made." Those sure look like modifications to me.

Found a very interesting post.


Buy Panda Global Protection 2009 for $58.47.



Read this. Seems to confirm what I was saying. Not sure how accurate any of it is, but I can't imagine someone making up such elaborate backgrounds about former military intelligence officers and whatnot.


Fascinating, they call it a simple update? It is not.

The program analyzed:

»anubis.iseclab.org/?action=resul···mat=html

It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 67.134.208.160:80 is where PIFTS.exe asks to connect to.

Domain Name: SWAPDRIVE.COM

Administrative Contact:
Wallace, Marc
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
US
703-352-1578

www.webdatagroup.com

Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.

www.spoke.com...

"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."

It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 67.134.208.160:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.

Oh no folks, move along, certainly nothing interesting to see here!

Pifts.exe

March 9th 2009, Norton Internet Security users who had chosen to run liveupdate to update their software, were presented with a strange event. Suddenly, firewalls were popping up with a new executable file that wanted access to the internet. This file is called PIFTS.EXE (Public Internet and File Tracking System). Alarmed, customers of Symantec began to pile into the Norton users discussion forum on symantec.com, in search of answers as to what this strange file could be.

A topic where most of the discussion took place was eventually deleted, and as more users came in search of answers, more topics were started, and in turn, deleted. Some users were even banned from posting as a result of inquiries about PIFTS.EXE. As people searched for answers, news of PIFTS.EXE spread across the internet, and certain tech-savvy users began picking the program apart, in an attempt to unlock its true purpose.

Discussions on websites like slashdot.org were breaking out, and eventually it was discovered that PIFTS.EXE actually was a data-mining program, which was recording information from Internet Explorer history files, Temporary Internet Files, and Google Desktop, and then transmitting it back to a few sources. Upon this discovery, numerous conspiracy theories were spawned, since all the while, any topic so much as mentioning PIFTS.EXE was being swept under the table on the Norton forums within minutes.

As Norton continued to delete topics and ban users on their forums, other websites containing information about PIFTS.EXE such as digg.com started suddenly pulling their pages, and provided further fuel for the conspiracy theorists. Eventually 4chan.org caught word of PIFTS.EXE, and realized there was a massive cover-up taking place, and decided to raid the Norton forums, and spam endlessly in an attempt to force Norton to cough up the truth. Finally, after roughly a day and a half, Director of Symantec Security response Dave Cole released this statement on their forums:

Hi everyone,

Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

  • O LAWD IM CHOKIN ON PIFTS PLZ HALP
  • OH GOD YOU GOT CHOCOLATE IN MY PIFTS
  • If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
  • IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
  • PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
  • I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.



I'd like to point out a few glaring flaws in this statement, which have arroused further contempt on the Norton forums, now that they have opened back up.

First of all, I was informed of the PIFTS.exe incident by a friend virtually as soon as it started to make its first ripples across the web. I decided to do a bit of research myself, and found myself on the Norton forums last night, where I encountered several topics regarding the issue, ALL of which were polite, genuine inquiries, all of which were being deleted. There were numerous concerned customers there, seeking answers as to what PIFTS.exe could be, and rather than be given ONE legitimate response, users had their topics deleted, and members posting rights were removed. As I witnessed it taking place, the gravity of the situation began to dawn on me. At this point, a VERY minimal amount of spam was taking place on the forums IF ANY. I for one did not witness anything but genuine questions about what was going on, and why PIFTS.exe was trying to access the users connection.

In Dave Cole's statement, he said "At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals.". This may be true, but at the origin of the problem, only the first users to be notified of PIFTS.exe were on the forums asking questions. No spam was taking place, and many users have since vouched for it. The matter was simply being swept under the table, and absolutely no reason was being given.

He also went on to say "Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.". Again, this is simply false. From the VERY FIRST TOPIC that was spawned about PIFTS.exe, Symantec began to delete any mention of the problem. Long, long before 4chan.org's infamous /b/ decided to raid their forums, this was taking place. In fact, the spam and abuse of Norton's forums was a DIRECT result of legitimate topics being deleted. If that hadn't taken place to begin with, there would have been no reason for contempt. If a simple response had been given, and the situation handled, none of this would have occured.

Dave Cole is obviously using the spam that occured as a scapegoat to cover up what really happened. It was an attempt to minimize damage, for those who weren't around originally when all the legitimate questions were being wiped off the face of the earth (or internet, at least). This is undeniable, and many people witnessed it as it went down. Take note in how his statement focuses heavily on the spam, and barely addresses the issue, and still makes no mention of what PIFTS.exe actually is.

Around the time the statement was released, Norton's forums were also opened back up for discussion, with one new topic called "PIFTS.EXE discussion thread" which users were asked to use in regards to the issue. I used this opportunity to raise a great deal of legitimate questions that I'm sure many people have been asking, under the username Anshar. After poking around on the internet a bit, I found this statement:

Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

Again, Dave Cole seems to lie through his teeth regarding why posts were deleted. As I mentioned before, every single post regarding PIFTS.exe was deleted, long before spam started. So either way, despite the claim that "There was no attempt at secrecy here", had PIFTS.exe actually been signed, and had the firewalls not detected it, all the users of NIS would right now be having their information logged and stored, without warning.

Dave also mentioned in the first statement that "The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution.". So a patch that was so vital in helping to gather Norton information about operating systems, and program upgrades, is suddenly pulled from further distribution? Either that, or it got ironed out, and is now able to run in secrecy. I smell something fishy.

So let me get this straight. In order to "determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.", Symantec needs to log cookies, temp files, Internet Explorer information, and record searches in google and google desktop? I suppose a simple survey just isn't sufficient for such a large undertaking, right? Or even just a simple script to detect which operating system the user is running on? NIS 2009 is capable of that on its own.

It has been more than 24 hours since the intial release of PIFTS.exe, and so far, things are still up in the air. I decided to start this blog just as a way to log accurate information as to what took place, as it took place, since it seems that many other sources are vanishing from the Internet. Despite that things are still unclear, a few things are certain: Symantec have invested lots of time in trying to cover this up, no matter how you want to slice it. They have taken a painfully long time in providing answers to their "valued" customers, and STILL have yet to really clear things up. I was eventually given a response from a forum administrator named Tim Lopez, and in it, he said "I just wanted to let everyone know that it's not being ignored. In fact, this is a big deal to us and we're doing everything we can to get things squared away.". If days later, this is the result of "everything" they can do to get things squared away, I must say that your trust in Symantec is misplaced. Boycott Symantec products, regardless of what has occured here. They have proven that they are not trustworthy, and have also proven that they have no qualms about lying through their teeth, and abusing their customers.

Expect further updates as the story progresses.

Panda Antivirus Pro 2009 - Box Shot