BleepingComputer.com: Debunking the Norton pifts.exe conspiracies

whos smart that uses norton?

let's focus there. In this blog post they state that one of the IP addresses that pifts.exe connects to is 67.134.208.160 and the other is 207.46.248.249. Well, 67.134.208.160 is simply the IP address of stats.norton.com.

Who is Qwest communications?

Grinler, on Mar 10 2009, 03:05 PM, said:

Hey Grinler,

But who does 67.134.208.160 belong to?
Whois doesn't look anything like Norton. Why is it connecting to a company other than Norton? Who is Qwest communications?

Personally, I've never been a conspiracy nut. I disdain the foil hat. But once you start looking into Qwest and its connections... man this thing just gets 58 different flavors of fishy.

Fascinating, they call it a simple update? It is not.

The program analyzed: http://anubis.iseclab.org/?action=result&a...amp;format=html

It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 67.134.208.160:80 is where PIFTS.exe asks to connect to.

Domain Name: SWAPDRIVE.COM

Administrative Contact:
Wallace, Marc
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
US
703-352-1578

www.webdatagroup.com

Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.

www.spoke.com...

"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."

It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 67.134.208.160:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.

Oh no folks, move along, certainly nothing interesting to see here!

A new statement has been released, this time regarding exactly what PIFTS.EXE does. Here is the direct statement:

"PIFTS.exe or Product Information Framework Troubleshooter

This entry was created to answer the following key questions around PIFTS.exe:

- What is PIFTS.exe?
- What is the function of PIFTS.exe?
- What information does PIFTS.exe collect?

Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).

LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.

For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.

LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).

Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.

To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.

Product Information Framework Troubleshooter (PIFTS) executable details:

File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810

The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.

PIFTS.EXE does the following:

- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.

No additional information is collected, no personal information is collected, and no system modifications are made."

Now, if you run an analysis of PIFTS.EXE on http://anubis.iseclab.org/, it gives you this warning:

Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web

It seems contradictory, does it not? "No system modifications are made". Yet it changes the security settings of Internet Explorer?

Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

What's this? More changes to your system? Even if I don't know for exactly what reasons these changes are made, they still contradict the claim that "No additional information is collected, no personal information is collected, and no system modifications are made." Those sure look like modifications to me.

If there's some sort of system call or function that's been compiled into the executable as part of a framework, it could trigger a report like that on an analysis program, even if the call itself is never actually made. This would really be quite common on many Windows programs. To really know what's going on we need a complete disassembled version of the program to see what calls it's making.