Go http://www.theinquirer.net/?article=8371 for our media pack
|
|
|
African executable raises Symantec hackles
TECH BLOGS AND FORUMS are ablaze with panic over an unidentified executable file which is being flagged by Norton's security software.
It's not known whether the file, which some have reported trying to phone home to Africa, is malicious in any way, but the folks at Symantec aren't helping matters by reportedly deleting any posts or queries relating to the problem on their own forums.
The company has apparently even resorted to banning further posts from anyone attempting to mention pifts.exe, as one user said:
"I have an old notebook with Norton AV. I was on it earlier and got a pop up from Norton asking if I wanted PIFTS.exe to access the internet. I had no clue what PIFTS.exe is so I decided to google it and see. Googling didn't help, so I decided to go to the Norton forums and ask there.
"I started a thread and immediately got a couple responses saying that it's popping up on a lot of computers using Norton and no one knows what it is but that something fishy is going on. The replies also said to not be surprised if my thread gets deleted, which I thought was kind of odd.
"Anyway, I checked my email and checked the forums here then went to check on my thread on the Norton forums. Amazingly, my thread was gone and my posting rights revoked! Kind of an odd thing thing for Norton to do I thought, but obviously they don't want people talking about whatever PIFTS.exe is, at least on [their] forums."
Other users are reporting that Symantec helpdesk staff have told them that the file is a normal update to Norton but, as the company has made no official announcement on the matter, this one is set to run and run.
The panic probably isn't being helped by the fact that one possible acronym for PIFT is Protocol Interbank File Transfer!
We'd suggest that you don't let pift.exe have access to anything other than your trash bin until Symantec comes clean.
Thanks to reader Martin for the heads up. µ
L'Inq
Tech-Linkblog
Share this:
Share
Not only did you install it, but you paid for it. Norton has such a bad reputation, why do people install it? You say don't blame the programmer, but why didn't they know this was a bad idea when they wrote it.
My comment wasn't directed to you personally. In fact, your comment wasn't even printed at the time I was composing mine.
Sorry for any confusion.
... Erm... I did read it - that's where I got "the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet" from.... Duh!
FBI MAGIC LANTERN
"lansalot: youve never admined a network have you? Dolt.
posted by : Anonymous Coward, 10 March 2009"
Nice on "Anonymous Coward". Yes I have. That's my day job. What I wouldn't do in that job is to say I'm going to shut off the entire extranet and intranet for the company, because "an executable" (which as of yet, NOBODY knows is even REMOTELY malicious) is on some PCs. You idiot. My "bandwagon" comments stands, and in light of your idiotic comments is even more relevant.
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119
Read it.
"the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet"
Now, forgive me for being wrong, but I an not concerned which products are 'signed', or not signed, but I WANT TO CONTROL what goes out through my firewall....
URL update.. http://stats.norton.com/n/p?module=2667&product=NIS&version=10.0.0.86&e=1.4.5.91&f=1.4.5.91&g=0&h=2&i=0&j=1.4.5.91 is a valid string, and while I do not possess any norton product more recent than 2000, I have warped their stats by 2...
... when you go to the URL in the exe file...
http://stats.norton.com/n/p?module=2667
nothing - but
http://stats.norton.com/n/p
gives an error from Apache Tomcat/6.0.18
and
http://stats.norton.com/n/
wants a password....
Playtime, anyone?
Hi, I take all PC with Norton and break in pieces small until Norton fix my internets. Boss hate my CPU rum
Ken: if people are "clogging up the forums" over at symantec, wouldnt the obvious simple answer be to post a sticky? Especially if theyre going to kickban people for even *mentioning* it, wouldnt it be a good idea to warn them that this is going to happen? Or what, are we all on double secret probation over there?
lansalot: youve never admined a network have you? Dolt.
A few of us have emailed one of the tech support people directly and they are giving a canned answer:
I don’t have much detail about this issue. I believe that Symantec will be making a public announcement about this file in the near future. I do believe that it is a legitimate file delivered by live update. Unfortunately, somebody has chosen to abuse our Norton Community forums regarding this issue and the remediation for this abuse is having some unintended collateral damage.
I wish I could tell you more, but this is all that I know at this time.
- Reese
(1) it's a Norton "product research" app of some sort that they tried to sneak into the new version, but someone forgot that their own software would catch it trying to phone home. Now they have egg on their face and are trying to cover it up.
(2) 4chan/Anonymous have decided it is more fun to pick on crappy software companies than it is to pick on the Church of Scientology, and picked a random binary to clog up Symantec's forums with threads about. Symantec has responded in a fairly understandable manner and decided that since almost all people talking about pifts.exe are just annoying troublemakers and bots, they'll just remove the posts and ban the posters.
I have no idea if either of these is correct, anyone have any evidence for/against?
Damn, this is probably bad. Does anyone knows which versions of AV it's affecting? I've got norton av 2007 installed on various setups, I haven't been called yet because nothing wrong has happened, as of now. I hope it's just a CF and not them spying on my users.
This article has disapeared from google news when searching for pifts. it was there 2 hours ago.
The norton forums are now down for maintenence. Coincedence? Hmm...
"We took down our whole intranet and extranet connection for as long as we do not know what this software is doing. I'm on to regret the decision to use Norton..."
Jeez. Get a grip. What saddoes are out there. But on the other hand, I don't want to feel left out. Could someone please advise how I jump on this speculative bandwagon as soon as possible ?
Even if this PIFTS.exe thing is benign, why won't Symantec just come out and tell us what the heck this is, rather than deleting every single post relating to it? I mean, this may be some notification thing that just got out of hand, and the forum managers at Symantec said "Dang it, ten gazillion people are flooding our boards, just delete all the posts that mention it". But they have to know that it looks bad.
This is, of course, assuming that nothing sinister is actually going on...
I also went to the Norton forums to find out what was going on. I posted a thread about pifts.exe and it was removed within one minute of my posting. I was also IP banned from the Norton site.
Oh well, at least there are proxys.
Also, it seems Anonymous are on the case with this one and have been spamming the Norton Forums to keep the mods over there on their toes.
Hi, I'm Greg Mayer from a german Company.
We took down our whole intranet and extranet connection for as long as we do not know what this software is doing.
I'm on to regret the decision to use Norton...
The file itself contacts two IP addresses, North Africa and Washington DC. It goes offshore because there's no law forbidding sending it to foreign governments. If governments want to spy on their own citizens, it is normal for them to have foreigners do it in order to get around normal restrictions about spying on their own people.
It's not African. But the rest is true. Norton banned me entirely from their site for one polite inquiry about PIFTS.