Pifts

PIFTS.exe accesses your Internet History, Temporary Internet Files and Google Desktop. It appears to be tracking your searches. Norton is deleting all comments about it on their forums, and they were being deleted on Yahoo! Answers as well.

CONTACT

1. Pifts.exe @ irc.freenode.net ---> MOVED TO: #pifts @ irc.annonnet.org
2. Pifts.exe_misinfo @ irc.freenode.net Both channels are dead because everyone finally realized that the pifts conspiracy was bullshit.

DATA

http://pastebin.com/m1e207a78 (file string) http://www.mediafire.com/?mnmh35b9d0k (rar files with the exe and assocatied files) http://www.megaupload.com/?d=HV4TFAJJ (PIFTS.exe disassembled) http://anubis.iseclab.org/?action=result&task_id=19d7659347c3ebcd4a5ba7e9faa60fa14&format=htm (srs website wondering wtf the file is)

MEDIA

http://it.slashdot.org/article.pl?sid=09/03/10/139229 (WIN!) http://digg.com/software/What_is_PIFTS_and_why_is_Symantec_covering_it_up http://digg.com/software/What_is_PIFTS_and_why_is_Symantec_covering_it_up? (pretty much abandoned digg mirror) http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/ http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html http://www.abovetopsecret.com/forum/viewthread.php?tid=444230 http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19880 http://community.norton.com/norton/board?board.id=nis_feedback (Norton Internet Security / Norton AntiVirus Forums, community.norton.com locked as of 3/10/2009) http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html http://forums.shoryuken.com/showthread.php?s=8861e008de41ff5bc2c71247750de8d3&p=6268378 (discussion about pifts.exe and Steve Gibson's podcast, Security Now! podcaster. Users hoping he can explain wtf the file is all about)

GigaZine.net

http://gigazine.net/index.php?/news/comments/20090310_pifts_exe_norton/ (japanese tech blog picked up on the story) http://translate.google.com/translate?prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fgigazine.net%2Findex.php%3F%2Fnews%2Fcomments%2F20090310_pifts_exe_norton%2F&sl=ja&tl=en&history_state0= (tranlation to english)

jp.msn.com

http://questionbox.jp.msn.com/qa4784219.html (MSN Japanese post about it a tech help section of there site. site is regional it seems) http://74.125.113.132/translate_c?hl=en&ie=UTF-8&sl=ja&tl=en&u=http://questionbox.jp.msn.com/qa4784219.html&prev=_t&usg=ALkJrhj_g1aRvBSFwp1sJVA-YQdRZzE57A (tranlation to english)

2ch.net

http://pc11.2ch.net/test/read.cgi/sec/1235400043/642n (2ch BBS discussion begins) http://74.125.113.132/translate_c?hl=en&ie=UTF-8&sl=ja&tl=en&u=http://pc11.2ch.net/test/read.cgi/sec/1235400043/642n&prev=_t&usg=ALkJrhiCZNufy_SmBRfQwdAdMczO0v2whQ (tranlation to english)

IMAGES

http://img220.imageshack.us/img220/9219/tcpview.jpg -- A cap of pifts trying to access the internet, taken in the second or so it displayed. http://img18.imageshack.us/img18/8581/pifts.gif http://img3.imageshack.us/img3/3863/pifts2.gif http://img142.imageshack.us/img142/750/1236680748455.jpg (properties of a file in a update directory, unconfirmed if it's the real file or just a faker trying to get attention, I suspect it is the real one) http://img5.imageshack.us/img5/6486/1236683072542.jpg (info about pifsvc.exe which seems related) http://gigazine.jp/img/2009/03/10/pifts_exe_norton/pifts01.png (/b/ having some fun, but there was lots of legit posts about pifts.exe before they got there) http://img111.imageshack.us/img111/6922/registeration.jpg (taken at http://community.norton.com/norton/user_signup that's some wired shit going on, those mod should get fired.

OFFICAL STATEMENT

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

Norton product patch "PIFTS.exe" and Norton Users Forum [ Edited ] [posted by] davecole Symantec Employee Posts: 45 Registered: 04-07-2008 Hi everyone, Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue. There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject: * O LAWD IM CHOKIN ON PIFTS PLZ HALP * OH GOD YOU GOT CHOCOLATE IN MY PIFTS * If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E * IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE? * PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE * I LOVE MY PIFTS.EXE Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts. Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware. Message Edited by davecole on 03-10-2009 12:45 PM

03-10-2009 12:42 PM

Post were being deleted before /b/ raided the forum, this has been recorded by many bloggers, esp. by http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/ his post was way before /b/ had been shown a place to troll, the excisting evidence is overwelming against the idea that posts were being deleted only after /b/ begain to raid the forum.

TROLLING

Because of the interest in the unknown file cause by it appears on over 9000 computers everyone with half a brain was googling it and visiting Nortons support forums to post about what this file was about. For some unknown reason be it pissed off mod or corporate cover-up all the threads with pifts.exe in the subject line were deleted in less the 5 minutes after they were posted some as fast as 2 minutes, these thread were from Norton costumers and users. When news got to /g/ (someone posted asking about what it was, like lots of people do what their computers do stuff unexpectedly) and that lead Ebaums to the Norton forum, soon enough /b/ had been notified and they started to raid the shit out of those forums, for great lulz which were had. If you got to the OFFICAL STATEMENT you will see Symantec claiming they were only deleting raid threads when in reality the were delete all threads with words 'pifts' and 'pifts.exe' and even others that would only be human readable so it was a not a broken forum bot. http://encyclopediadramatica.com/User:Hometownrog/Pifts.exe (a summary of the /b/ raids on nortons support forums) http://www.mediafire.com/download.php?mj4mwjow0eg (trolling a Norton call center) http://gigazine.jp/img/2009/03/10/pifts_exe_norton/pifts01.png (/b/ having some fun, but there was lots of legit posts about pifts.exe before they got there) http://images.encyclopediadramatica.com/images/8/85/Early_in_raid.png (early in the raid) http://images.encyclopediadramatica.com/images/1/18/PFITSBanned.jpg (some on is banned from /b/ for claiming pifts.exe does not exist)

"My name is PIFTS.EXE, and I hate every single one of you. All of you are fat, retarded, no-lifes who spend every second of their day looking at stupid bleep executable files. You are everything bad in the world. Honestly, have any of you ever gotten any decent reverse engineering software I mean, I guess it's fun making conspiracy theories because of your own insecurities, but you all take to a whole new level. This is even worse than that notepad charset bug. Don't be a stranger. Just hit me with your best shot. I'm pretty much perfect. I was distributed with AV software, and hidden in you AppData folder. What routines do you execute, other than float division by zero due to bleepty programming I also get to gather your data, and send it to Africa (they have your naked pictures now; bleep was SO cash). You are all bleepgots who should just kill yourselves. Thanks for listening." — The Necessary So Cash http://images.encyclopediadramatica.com/images/b/b9/Boxxy_Pifts.JPG (Boxxy comes to help out) also see: http://encyclopediadramatica.com/User:Hometownrog/Pifts.exe#Gallery

RELATED

pifsvc.exe (process info for LiveUpdate Notice Service) may be related in purpose to pifts.exe since they both are named with P I F which is in the windows registry of computers with norton installed. links: http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=%22pifsvc.exe%22&btnG=Google+Search

OTHER IDEAS

Manifesto

Anonymous 03/10/09(Tue)06:29:36 No.122551388 (from /b/) Anon, I propose a war. A war unlike any others. Please, hear me out. A wise anon posted this. >Ummm, shouldn't we be fanning these flames of mistrust into ever greater fear and ultimately rage? >I mean, shouldn't we harness this to cause damage to someone, which would be Symantec's reputation I guess. >Anyway, this thread seems just too passive. When there is something unusual and possibly scary, but probably not, I think we should give it a nudge into horrifying paranoia. >I like the North African IP thing. What would sound scary there? Al Qaeda in Eritrea? A new Al Qaeda online cyberterror front that has designs on stealing people banking details and identities for use in funding and upplying terror ops? Did they have a spy named Arun at Symantec? Arun [make up good sounding arab surname] of Al Qaeda in Eritrea? This got me thinking. He's right, on one hand we've got everyone looking to norton for an explanation and everyone else searching the internets for the string "pifts.exe". I say we start making claims. We blow this out of proportion. IMO the best way to go about this is is by coming up with a few "facts" and then every anon can string them together however they like. continued in next post

Anonymous 03/10/09(Tue)06:30:00 No.122551434 part 2 We'd be posting on the forums as someone said in another post. >We're joining in the game a little bit late so we will want to plan ahead. Everyone needs to make accounts on their forums. If we just raid it as is they'll probably stop allowing new accounts and just block the already made accounts from being able to post (seems to be their current tactic). So how about we start the raid in two hours? Does that seem like enough time for everyone to make accounts? We don't want to give them enough time to come up with a story that will calm everyone down. >Remember, we're like the 300 spartans, the whole internets is practically raiding them right now, but we're the only ones who know what the fuck we're doing. Also, we'd be making blogs and shit which we would be linking to for our sources. The more blogs we have and the more interlinked they are the harder it will be to disprove (think religious circular logic). Blag A cites Blog B which cites Blog C and A and so on and so forth.

FBI/Magic Lantern

"Magic Lantern is keystroke logging software developed by the United States' Federal Bureau of Investigation. Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions." --Anonymous There is some discussion that Pifts.exe may be a keylogger program, a modified version of Magic Lantern [ http://en.wikipedia.org/wiki/Magic_Lantern_(software) ]

COPYPASTAS

Apparently something big is happening. A mysterious program known as pifts.exe is attempting to contact a server in Africa and seems to be associated with Symantec's anti-virus system, Norton. There is virtually no information on the internet regarding pifts.exe, aside from this blog and threads such as these. Symantec are supposedly deleting any mention of pifts.exe from their community forums and so users have moved to ZoneAlarm's Forums.

Magic Lantern is keystroke logging software developed by the United States' Federal Bureau of Investigation. Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions." P.I.F.T.S. Public Internet and File Tracking System It goes offshore because there's no law forbidding sending it to foreign governments. If governments want to spy on their own citizens, it is normal for them to have foreigners do it in order to get around normal restrictions about spying on their own people.

CHAT LOGS FROM LIVE SUPPORT

All this info is fake, I dont care if you use it.

Mr. Mark Cole has entered room. Basil has entered room. Basil(Tue Mar 10 2009 05:12:36 GMT-0400 (Eastern Daylight Time))> You are being transferred to Basil. Basil(Tue Mar 10 2009 05:12:46 GMT-0400 (Eastern Daylight Time))> Welcome to Norton. Is this the first time you are contacting us or do you have a Priority ID? Mr. Mark Cole(Tue Mar 10 2009 08:13:11 GMT-0400 (Eastern Daylight Time))> First time Basil(Tue Mar 10 2009 05:13:11 GMT-0400 (Eastern Daylight Time))> May I confirm your email address as mark@markcole.net and direct phone number as (310) 201-0161 , am I right? Mr. Mark Cole(Tue Mar 10 2009 08:13:40 GMT-0400 (Eastern Daylight Time))> Yes. Basil(Tue Mar 10 2009 05:13:37 GMT-0400 (Eastern Daylight Time))> May I know which country you are connected from? Mr. Mark Cole(Tue Mar 10 2009 08:14:00 GMT-0400 (Eastern Daylight Time))> United States Basil(Tue Mar 10 2009 05:13:55 GMT-0400 (Eastern Daylight Time))> Please provide me your alternate phone number or mobile number for quality assurance. Mr. Mark Cole(Tue Mar 10 2009 08:14:25 GMT-0400 (Eastern Daylight Time))> I do not have any alternate phone numbers. Basil(Tue Mar 10 2009 05:14:21 GMT-0400 (Eastern Daylight Time))> Please let me know which Symantec product you are using and its version/year. Mr. Mark Cole(Tue Mar 10 2009 08:15:07 GMT-0400 (Eastern Daylight Time))> I am using Norton Antivirus 2009 with Windows XP SP 3 Basil(Tue Mar 10 2009 05:15:06 GMT-0400 (Eastern Daylight Time))> Mark , are you connected from the computer, which is facing this particular issue? Mr. Mark Cole(Tue Mar 10 2009 08:15:31 GMT-0400 (Eastern Daylight Time))> Yes. Basil(Tue Mar 10 2009 05:15:28 GMT-0400 (Eastern Daylight Time))> Thank You for all the information. I would now create a Priority ID for you. In the meanwhile could you please give me a short description about the issue you are facing on your computer. Mr. Mark Cole(Tue Mar 10 2009 08:16:40 GMT-0400 (Eastern Daylight Time))> I run Norton Antivirus with ZoneAlarm free firewall. Apparently, PIFTS.exe has asked for internet access more than 10 times in the past hour. After some googling I found PIFTS.exe to be a product of Norton. Basil(Tue Mar 10 2009 05:16:52 GMT-0400 (Eastern Daylight Time))> Thank You for your patience. Your Priority ID is 492001608 . Please make a note of it for future reference. Mr. Mark Cole(Tue Mar 10 2009 08:17:17 GMT-0400 (Eastern Daylight Time))> Ok. Basil(Tue Mar 10 2009 05:17:18 GMT-0400 (Eastern Daylight Time))> As I understand from your issue, you are getting PIFTS.exe alerts for internet access . Am I correct? Mr. Mark Cole(Tue Mar 10 2009 08:17:42 GMT-0400 (Eastern Daylight Time))> Yes. Basil(Tue Mar 10 2009 05:18:38 GMT-0400 (Eastern Daylight Time))> Do you suspect any virus infection in your system? Mr. Mark Cole(Tue Mar 10 2009 08:20:11 GMT-0400 (Eastern Daylight Time))> Yes, I am somewhat experienced with computers and I have found this program to access two IP addresses. One in Kirkland, Washington, and one in Washington, DC. Does Symantec have anything in those areas? Basil(Tue Mar 10 2009 05:20:12 GMT-0400 (Eastern Daylight Time))> We are here to help you. Basil(Tue Mar 10 2009 05:20:26 GMT-0400 (Eastern Daylight Time))> Mark, is your system performing slower than usual? Mr. Mark Cole(Tue Mar 10 2009 08:21:22 GMT-0400 (Eastern Daylight Time))> You didnt answer my previous question. Does symantec have any operations in the areas that this program is trying to access? Basil(Tue Mar 10 2009 05:21:49 GMT-0400 (Eastern Daylight Time))> No Mark, Norton virus removal queue located in India. Basil(Tue Mar 10 2009 05:21:52 GMT-0400 (Eastern Daylight Time))> Did you observe any suspicious behavior of your computer that indicates a possible infection? Mr. Mark Cole(Tue Mar 10 2009 08:22:47 GMT-0400 (Eastern Daylight Time))> Yes, I noticed this "PIFTS.exe" to access stats.norton.com and it also goes through my internet cache files. Basil(Tue Mar 10 2009 05:23:13 GMT-0400 (Eastern Daylight Time))> Does your browser gets re directed to web sites like SpyLocked, Virus Protect Pro, Antivirgear, Ultimate Defender, SecurePC Cleaner Etc ? Mr. Mark Cole(Tue Mar 10 2009 08:23:43 GMT-0400 (Eastern Daylight Time))> No, it does not. Mr. Mark Cole(Tue Mar 10 2009 08:24:35 GMT-0400 (Eastern Daylight Time))> Do you mind if I ask why any thread started in Norton's forums about PIFTS.exe is deleted within 5 minutes? Basil(Tue Mar 10 2009 05:26:39 GMT-0400 (Eastern Daylight Time))> Am sorry Mark. Am not technically trained. These questions are best answered by the Consultant, who are the experts in this field and who would troubleshoot on the computer. Basil(Tue Mar 10 2009 05:26:48 GMT-0400 (Eastern Daylight Time))> Mark, from the description you gave me we are unable to find any signs of virus or spyware activity on your computer, however we can only confirm this with certainty, on completion of a detailed diagnosis. If you suspect a virus on your system, our expert consultants will diagnose your system, and troubleshoot any virus or spyware/malware if present on your computer. If we find any infection on your system, we would be glad to assist you in removing it. We would connect remotely to your computer and fix the issue. There would be consultation fee for this premium service. Would you like me to go ahead? Mr. Mark Cole(Tue Mar 10 2009 08:27:55 GMT-0400 (Eastern Daylight Time))> Then may I please speak with a consultant that can help me? Basil(Tue Mar 10 2009 05:27:59 GMT-0400 (Eastern Daylight Time))> The Consultation fee would be US $99.99. We guarantee to identify any threats that may be on your system. Once we have found them, we will remove them. In addition we guarantee our work for a period of 7 days from today. Basil(Tue Mar 10 2009 05:28:00 GMT-0400 (Eastern Daylight Time))> So shall we proceed with your permission? Mr. Mark Cole(Tue Mar 10 2009 08:30:03 GMT-0400 (Eastern Daylight Time))> No, I want to know why symantec is covering pifts.exe and I refuse to pay money to find that out. Basil(Tue Mar 10 2009 05:30:04 GMT-0400 (Eastern Daylight Time))> There can be several possible reasons for this:-

1. The infected file is active on your computer;
2. It is sort of "embedded" into your browser (such as an Add-on) or into some other running softwares/applications;
3. The infected has "assumed" system file status/rights and hence it cannot be simply deleted. These are possible reasons, but we can only know the actual reason once a detailed diagnosis is complete. Your Norton software attempts to override these; however it is not always possible, since we need to adhere to various software conventions/standards, some of which could be set by the Operating System. Basil(Tue Mar 10 2009 05:30:08 GMT-0400 (Eastern Daylight Time))> Is there anything else I can help you with? Mr. Mark Cole(Tue Mar 10 2009 08:32:18 GMT-0400 (Eastern Daylight Time))> Ah yes, thanks for letting me know how PIFTS.exe embeds itself into my browser while it "supposedly" contacts Norton for updates. Does it attach to Internet Explorer, Firefox, or both? Basil(Tue Mar 10 2009 05:32:57 GMT-0400 (Eastern Daylight Time))> Am sorry Mark , we can not say without diagnose your system. Basil(Tue Mar 10 2009 05:32:58 GMT-0400 (Eastern Daylight Time))> If you need to contact Norton again please visit http://www.symantec.com/vremoval . It has been pleasure assisting you. Thank you for choosing Norton. Have a great day ahead!! Mr. Mark Cole(Tue Mar 10 2009 08:33:37 GMT-0400 (Eastern Daylight Time))> You too, enjoy infecting your valued customers' computers. Basil(Tue Mar 10 2009 05:34:17 GMT-0400 (Eastern Daylight Time))> I do understand your concern; however as per our company policy, we can not troubleshoot your system without processing the fee. Basil(Tue Mar 10 2009 05:34:18 GMT-0400 (Eastern Daylight Time))> Thank you for choosing Norton. Have a great day ahead!! Basil(Tue Mar 10 2009 05:34:26 GMT-0400 (Eastern Daylight Time))> Please click on End Session. Mr. Mark Cole(Tue Mar 10 2009 08:35:13 GMT-0400 (Eastern Daylight Time))> Well how rude. Try to cover up your PIFTS.exe then commanding me to click on something. Mr. Mark Cole(Tue Mar 10 2009 08:35:38 GMT-0400 (Eastern Daylight Time))> How do I know clicking on End Session wont take me to porn sites? Basil(Tue Mar 10 2009 05:36:51 GMT-0400 (Eastern Daylight Time))> You can see a "End Session" button in the top of the chat window. Mr. Mark Cole(Tue Mar 10 2009 08:37:53 GMT-0400 (Eastern Daylight Time))> Yes I know that, but considering the recent events of PIFTS.exe Im not sure I can trust this website. Mr. Mark Cole(Tue Mar 10 2009 08:37:57 GMT-0400 (Eastern Daylight Time))> You click it for me. Basil(Tue Mar 10 2009 05:38:32 GMT-0400 (Eastern Daylight Time))> Alright. Mr. Mark Cole(Tue Mar 10 2009 08:40:04 GMT-0400 (Eastern Daylight Time))> Have you clicked it yet? Mr. Mark Cole(Tue Mar 10 2009 08:40:07 GMT-0400 (Eastern Daylight Time))> Is it safe? Mr. Mark Cole(Tue Mar 10 2009 08:40:12 GMT-0400 (Eastern Daylight Time))> Or is it a trap? Basil(Tue Mar 10 2009 05:40:19 GMT-0400 (Eastern Daylight Time))> Yes Mark. You can click, Its safe.