Something is rotten in the state of security.
Users of Symantec’s Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.
This wouldn’t be news in and of itself, but it seems that Symantec doesn’t want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.
Since they can’t turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.
ThreatExpert has a breakdown of PIFTS and its attempt to phone home here
VirusTotal shows no hits
Brian Krebs @ The Washington Post is trying to get some answers.
SANS Internet Storm Center writes that they’ve been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn’t intended to do any harm.
Nice of them to respond…
But won’t they let people talk about it on the msg boards?
Why the secrecy Symantec?
**Update** (courtesy of Brian Krebs @ The Washington Post)
“David Cole, senior director of product management at Symantec, said the PIFTS file was part of a ‘diagnostics patch’ shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.”
As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, “hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.”
This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like ‘hey, how come part of your software wants to access the Internet?’
Not exactly ban-worthy behaviour.
A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn’t that have saved everyone a lot of trouble?