Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for norton sample - pifts.exe


  • Please log in to reply
22 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 10:38 AM

I am looking for a file sample from Norton anti-virus products. If you are running a Norton product such as Norton Antivirus, Norton 360, etc can you please search for the pifts.exe file, and if it exists, please submit a sample to me using the following instructions:

Go to this link:

Submit Sample

Fill in the required fields then click on the browse button. and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

Reports state that the file is located in a folder under this directory:

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\

Thanks alot.

BC AdBot (Login to Remove)

 


#2 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 10:46 AM

You can get it here:
http://www.mediafire.com/?mnmh35b9d0k

I have submitted it as well.

Edited by Fase, 10 March 2009 - 10:47 AM.


#3 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 11:00 AM

Connection report:

No.	 Time		Source				Destination		   Protocol Info
	  1 0.000000	192.168.0.2		   192.168.0.1		   DNS	  Standard query A stats.norton.com
	  2 0.138062	192.168.0.1		   192.168.0.2		   DNS	  Standard query response A 67.134.208.160
	  3 2.684462	192.168.0.2		   67.134.208.160		TCP	  iad3 > http [SYN] Seq=0 Win=16384 Len=0 MSS=1460
	  4 3.136836	67.134.208.160		192.168.0.2		   TCP	  http > iad3 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460
	  5 3.143251	192.168.0.2		   67.134.208.160		TCP	  iad3 > http [ACK] Seq=1 Ack=1 Win=17520 Len=0
	  6 3.223465	192.168.0.2		   67.134.208.160		HTTP	 GET /n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 HTTP/1.1 
	  7 3.338542	67.134.208.160		192.168.0.2		   HTTP	 HTTP/1.1 200 OK 
	  8 3.348509	67.134.208.160		192.168.0.2		   TCP	  http > iad3 [FIN, ACK] Seq=122 Ack=141 Win=4520 Len=0
	  9 3.354871	192.168.0.2		   67.134.208.160		TCP	  iad3 > http [ACK] Seq=141 Ack=123 Win=17399 Len=0
	 10 3.852072	192.168.0.2		   67.134.208.160		TCP	  iad3 > http [FIN, ACK] Seq=141 Ack=123 Win=17399 Len=0
	 11 4.130098	67.134.208.160		192.168.0.2		   TCP	  http > iad3 [ACK] Seq=123 Ack=142 Win=4520 Len=0


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 11:16 AM

Thanks got!

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 11:20 AM

Fase, was it you who submitted the sample to mediafire? If so, if you follow the get request in wireshark, can you post what the response by the server is?

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 11:22 AM

Got it.

From the wireshark logs, my guess is that it is used by Norton to see how many times a particular database update or patch was installed.

GET /n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 HTTP/1.1
User-Agent: PATCH021809DB
Host: stats.norton.com

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 10 Mar 2009 16:20:40 GMT
Connection: close


#7 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 12:09 PM

Fase, was it you who submitted the sample to mediafire? If so, if you follow the get request in wireshark, can you post what the response by the server is?


No I was not the one who submitted it to mediafire, someone else did upon requests on another forums.

pcap for wireshark:
http://anubis.iseclab.org/?action=result&a...ad=traffic.pcap

Edited by Fase, 10 March 2009 - 12:09 PM.


#8 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 12:12 PM

Got it.

From the wireshark logs, my guess is that it is used by Norton to see how many times a particular database update or patch was installed.

GET /n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 HTTP/1.1
User-Agent: PATCH021809DB
Host: stats.norton.com

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Tue, 10 Mar 2009 16:20:40 GMT
Connection: close



Although after my analysis it looks harmless, it explains nothing as to why Symantec/Norton/ZoneAlarm/Google/etc. are all trying to hide this and silence it. Either this is an auto updater for something to come in the future or they are trying to create fake paranoia for some unknown reason.

Note I've only looked at network communication for the file, I never checked what system files it accesses but apparently it looks for Google/MS Live searches as well as IE history but I can't verify that.

Edited by Fase, 10 March 2009 - 12:14 PM.


#9 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 12:18 PM

Virus scanning for PIFTS.exe can be found here:
http://www.virustotal.com/analisis/734465e...493471d77940f4c
Which find it to be safe.

Edited by Fase, 10 March 2009 - 12:19 PM.


#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 12:19 PM

Not sure if all those companies are in cahoots. What makes you think ZA and Google are involved? It appears that the ZA threads are still live.

I will check on file acess, but right now its just pinging their servers when a new update is installed.

#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 12:29 PM

This is undoubtedly a legitimate file. Its use is what is in question.

#12 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 12:33 PM

Not sure if all those companies are in cahoots. What makes you think ZA and Google are involved? It appears that the ZA threads are still live.

I will check on file acess, but right now its just pinging their servers when a new update is installed.


People's posts and threads were being deleted on Norton's forum, as well as users being banned.
Apparently, some people were saying their threads were being removed on ZoneAlarm's forum as well, although a lot are still there.
Google trends for yesterday show high searches for PIFTS.exe:
http://www.google.com/trends/hottrends?q=p...09-3-9&sa=X
But today, nothing:
http://www.google.com/trends?q=pifts.exe&ctab=0
Earlier this morning, people were saying that there were little to no results on Google for PIFTS.exe which doesn't seem to be the case now.


Some suspicious stuff:

FBI's keylogging program:
http://en.wikipedia.org/wiki/Magic_Lantern_(software)
FBI working with Symantec

Symantec, Norton AntiVirus Products
Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions."[9]


The Qwest link which PIFTS.exe connects to:
http://en.wikipedia.org/wiki/Qwest
http://www.qwest.com/largebusiness/industr...govt/index.html

which:

NSA spying
In May 2006, USA Today reported that millions of telephone calling records had been handed over to the United States National Security Agency by AT&T Corp., Verizon, and BellSouth since September 11, 2001. This data has been used to create a database of all international and domestic calls. Qwest was allegedly the lone holdout, despite threats from the NSA that their refusal to cooperate may jeopardize future government contracts,[7] a decision which has earned them praise from those who oppose the NSA program.[8]
U.S. District Judge Anna Diggs Taylor on August 17, 2006 ruled that the government's domestic eavesdropping program is unconstitutional and ordered it ended immediately. The Bush Administration has filed an appeal in the case which has yet to be heard in court.[9]
Former Qwest CEO Joseph Nacchio, who was convicted of insider trading in April 2007, alleged in appeal documents that the NSA requested that Qwest participate in its wiretapping program more than six months before September 11, 2001. Nacchio recalls the meeting as occurring on February 27, 2001. Nacchio further claims that the NSA cancelled a lucrative contract with Qwest as a result of Qwest's refusal to participate in the wiretapping program.[10]
A social media experiment and website covering the Qwest holdout, Thank you Qwest dot Org, built by Netherlands-based Webmaster Richard Kastelein and American Expatriate Journalist Chris Floyd, was covered by the CNN Situation Room,[11]USA Today,[12]New York Times,[13][14]International Herald Tribune,[15]Denver Post,[16][17]News.com, [18] and the Salt Lake Tribune [19]


The address in the pcap log:
http://ip-lookup.net/?ip=67.134.208.160
http://www.ip-adress.com/ip_tracer/67.134.208.160

Qwest Communications Corporation QWEST-INET-11 (NET-67-128-0-0-1)
67.128.0.0 - 67.135.255.255
SwapDrive QWEST-IAD-SWAPDRIVE4 (NET-67-134-208-128-1)
67.134.208.128 - 67.134.208.255

Which Symantec owns SwapDrive as of last year:
http://www.techcrunch.com/2008/06/10/syman...or-123-million/

And a few days ago the Chief of the NSA resigns:
http://online.wsj.com/article/SB123638468860758145.html

Edited by Fase, 10 March 2009 - 12:47 PM.


#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 01:01 PM

Sounds to much like a conspiracy theory.

I just monitored the files and folders that pifts.exe accesses when it runs, and it is not doing anything fishy. It does open your IE cookies, favorites, and history folders but that is most likely due to its use of common controls for internet access and not by any direct behavior of the program.

I am pretty sure this is nothing more than a statistical program that is used to let Norton know what updates are being installed and the success.

#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 10 March 2009 - 01:12 PM

Also see this info about swapdrive:

http://www.internetnews.com/bus-news/print.php/468731

They are located in washington, so there servers are probably there. Not uncommon as there are huge datacenters in Washington.

http://searchdatacenter.techtarget.com/new...1255876,00.html

Other datacenters are: rackspace, softlayer, Equinix.

If you look deep enough you can find a conspiracy theory in anything.

#15 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 10 March 2009 - 01:15 PM

The most puzzling is simply with Norton would remove all talk about this file and delete anything about it and ban anyone who mentions it. They apparently are expect to make a public announcement soon today.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users