Info on mysterious executable stonewalled by Symantec?

[polonus]

Hi malware fighters,

All information on a mysterious executable in their updater suddenly were taken of the forums and the Internet: http://it.slashdot.org/article.pl?sid=09/03/10/139229
This is real security through obscurity. What is this PIFTS PIFTS.EXE?

polonus

[CharleyO]

***

More information at the SANS link below.

http://isc.sans.org/diary.html?storyid=5992


***

[polonus]

Hi CharleyO,

Here you can have a look at what it does in SafeHex:
http://pastebin.com/m1e207a78
That it resolves to swapdrive is also interesting, though, in that they may be sending our information out to be stored on their servers in Washington.

For those who don't know, Yahoo, Symantec, and Swapdrive (being owned by Symantec) are all basically the same company now or very close linked anyway.

Could be something quite benign, could not be, but cleaning up all the Google traces later is making people curious,

WARNING:

We've been sent an example of a web page targeting the term "PIFTS.exe" along with other popular search terms that lead to obfuscated javascript that leads in turn to actual malware.

Take care if you search for this: you might find the bad guys out there taking advantage of our interest in PIFTS.exe already.

At the time of writing the page we were notified about was not (anymore?) indexed in google, but YMMV,

polonus

[polonus]

Hi malware fighters,

Symantec's spokesman Cole said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

The removal of the forum threads were because new registered users tried to abuse these, and that is always being taken off immediately.

Users beware of variants of PIFTS.exe on the Internet, because these could contain malicous code as malcreants like to jump to the occasion spreading their malicious creations, and it could well cause your good old computer to go really pfffffftttt, Re: http://www.sophos.com/blogs/gc/

polonus

[DavidR]

What an absolute load of rubbish.

There is no correlation with the number of users they have to those that might, just might upgrade to windows 7 and if they do would they after this fiasco trust them to be open and above board.

I think they got with their fingers in the cookie jar and are hunting for an excuse.

They could just have easily said all customers need to migrate as that is about as much use as who of their existing customers might upgrade to windows 7 possibly 9-12 months away.

[bob3160]

I seem to recall a company that produced CD and DVD players etc
that got caught in the famous "DRM" scandle.
Is it now Symantec's turn to loose millions because they can't tell the truth

[Hally]

Hi 


What a load of... Hogwash! 

I'm So Glad I killed NIS 09 ... & ... Installed Avast Instead 

First the Ask Toolbar .. & .. Now This!

I reckon I had a lucky escape.
Got Rid.. Just In Time! 

[Mr.Agent]

Good you can alway scan your pc for virus and if u want a firewall let us know or if you got windows firewall then nothing to say lol

[Hally]

Hi Mr.Agent 

Good you can alway scan your pc for virus and if u want a firewall let us know or if you got windows firewall then nothing to say lol

Yep! .. I've got a Firewall 

At the moment I'm using - PC Tools Firewall Plus
Need an easy one!
As I'm not so clever when it comes to Firewall stuff 

Only Trouble Is...
Symantec have bought - PC Tools Firewall Plus 

Any Funny Business...
And I'm just hoping that the New Firewall Avast is making.. Is a good un 
As long as Avast doesn't make their new Firewall too complicated - Like.. e.g. Comodo 


Thanks!

[Mr.Agent]

ya i also hope its will be good dont worry they know what they do im sure

[polonus]

Hi posters in this thread,

Now aren't you all glad now to be part of this big avast family?
Well at least I am, and that is a sure thing..

polonus

[Hally]

Hi polonus 

Now aren't you all glad now to be part of this big avast family?

I Sure Am! 

[Mr.Agent]

Yes i do, no cons to say

[polonus]

Hi malware fighters,

Stonewall raised: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

polonus

[DavidR]

The bit I found interesting was if the diagnostic patch (huh) had have been signed it would have sailed through the firewall, presumably they are talking about the NIS firewall.

Has no one told symantec some malware authors also have signed malware. Nothing should be allowed out signed or otherwise and should be challenged the first time it attempts to get an internet connection. Otherwise this drives a coach and horses through NIS's supposed internet security.

All in all they have shot themselves in the foot as far from a diagnostic patch it could well put their users at risk trying to find information on this a stumbling upon a malicious site exploiting the poorly though out action of pushing out theis so called diagnostic patch.