Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Debunking the Norton pifts.exe conspiracies


  • Please log in to reply
23 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:57 AM

Posted 10 March 2009 - 02:05 PM

There has been a lot of controversy the past few days over a program called pifts.exe that is bundled with Norton products. This program is said to connect to stats.norton.com and send information from your computer to a remote site. What makes it even more strange is that any topics created to discuss this program in the Norton community forums have been erased. Due to this programs behavior, and Norton's strange activity, a lot of theories have been popping up from data being sent to africa to NSA snooping. Personally, I think there is a much simpler explanation.

After reading about this file here and here, I asked around on BleepingComputer.com for one of our users to submit a sample of the file to me. Once I received the file, I ran it on a test box while running a file monitor, to see what it accesses, and Wireshark, to see what it does on the network. What I found was that the program appears to be quite innocent, and from the hostname it connects to, we could have guessed as to what it does. It appears that when you update Norton it connects to stats.norton.com and lets the server know someone has installed an update, what the update was, what program it was for, and whether it was successful. Now, I am not saying that Norton should be contacting one of their servers and reporting this type of information without a user's permission or even knowledge, but there is no conspiracy theory between Norton, Google, Microsoft, African Nations, and little green men.

Now, let's get to the conspiracy theory debunking. As most of the theories seem to be coming from a certain blog post at Tech-linkblog.com, let's focus there. In this blog post they state that one of the IP addresses that pifts.exe connects to is 67.134.208.160 and the other is 207.46.248.249. Well, 67.134.208.160 is simply the IP address of stats.norton.com. The second IP address has nothing to do with Norton and is instead related to the Windows Search Companion in Windows XP. I have absolutely no idea how they came up with either of those IP addresses being related to Africa.

Another part of the conspiracy is the repeated use of the PADDINGXX string found in the pifts.exe executable, which I confirmed does indeed have that repeated string appended to the file. After some research, I learned that an executable having repeated PADDINGXX strings, and explained here, is caused by the programming function called UpdateResource. Basically, this function is used to change a string found in an executable at runtime. A side-effect of using this function is that it adds all of those PADDINGXX sequences into the executable. This is just a quirk of using this function and nothing devious.

So, all in all, pifts.exe is nothing but a huge PR blunder by Norton. Here they are, a computer security products company, and they are sending information to a remote computer without your knowledge or permission. When users find out about it, instead of answering their queries, they make the mistake of deleting them. Without a doubt we will be hearing from Norton soon regarding this program and I am sure it will be nothing more than a stupid mistake on their part. Only time will tell.

Thoughts?



BC AdBot (Login to Remove)

 


#2 Fase

Fase

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 10 March 2009 - 02:28 PM

[quote name='"http://voices.washingtonpost.com/securityfix/?hpid=news-col-blog"']Update, 2:23 p.m. ET: Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.[/quote]

This (in my and many others) opinion is a very poor cover-up attempt.

The file seems to go much farther beyond basic "checking your Windows version" as stated.
http://www.cwsandbox.org/?page=report&...;password=xffrt

Edited by Fase, 10 March 2009 - 03:09 PM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:57 AM

Posted 10 March 2009 - 03:02 PM

I still see nothing wrong with the sandbox report. Those file accesses etc are just related to the programs that pifts.exe uses to access the Internet.

#4 Guest_tylerisdabest_*

Guest_tylerisdabest_*

  • Guests
  • OFFLINE
  •  

Posted 10 March 2009 - 04:25 PM

whos smart that uses norton?

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 10 March 2009 - 05:28 PM

When searching for information of pifts.exe, please be careful. Some malware purveyors have started to take advantage of this hot topic and are adding themselves to the search indexes for this term. When you go to their pages, you will instead prompted to install rogue anti-spyware programs or to try and exploit you to install malware.

Please only visit known sites or ones that you looked up with:

Siteadvisor
Web of Trust

#6 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:11:57 AM

Posted 10 March 2009 - 05:49 PM

whos smart that uses norton?

Me.

I don't have problems with it. Of course, I may install something else once this suscription is up. Whether I'll do that or not depends on if I remember to do so.

Edited by scff249, 10 March 2009 - 05:51 PM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#7 sho-dan

sho-dan

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Jah Jersey Shore
  • Local time:10:57 AM

Posted 10 March 2009 - 06:05 PM

A most excellent read! Grinler. Thanks :thumbsup:

#8 Zingbat

Zingbat

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 10 March 2009 - 06:17 PM

let's focus there. In this blog post they state that one of the IP addresses that pifts.exe connects to is 67.134.208.160 and the other is 207.46.248.249. Well, 67.134.208.160 is simply the IP address of stats.norton.com.


Hey Grinler,

But who does 67.134.208.160 belong to?
Whois doesn't look anything like Norton. Why is it connecting to a company other than Norton? Who is Qwest communications?

Personally, I've never been a conspiracy nut. I disdain the foil hat. But once you start looking into Qwest and its connections... man this thing just gets 58 different flavors of fishy.

#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:57 AM

Posted 10 March 2009 - 06:21 PM

67.134.208.160 is part of the IP range of 67.128.0.0 - 67.135.255.255. This range was assigned to Qwest Communications by IANA.

One of Qwests customers is SwapDrive, and are most likely a colocation customer, which means SwapDrive rents space in one of Qwest's datacenters. When they colocate they receive IP address from Qwest. The range of IP addresses given to SwapDrive from Qwest is 67.134.208.128 - 67.134.208.255. 67.134.208.160 is part of this range.

SwapDrive is owned by Norton.

#10 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:11:57 AM

Posted 10 March 2009 - 06:46 PM

Who is Qwest communications?

Qwest is formerly US West which was one of the seven 'Baby Bells' after the antitrust breakup of AT&T in 1983.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#11 Magic Lantern

Magic Lantern

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 11 March 2009 - 08:22 AM

let's focus there. In this blog post they state that one of the IP addresses that pifts.exe connects to is 67.134.208.160 and the other is 207.46.248.249. Well, 67.134.208.160 is simply the IP address of stats.norton.com.


Hey Grinler,

But who does 67.134.208.160 belong to?
Whois doesn't look anything like Norton. Why is it connecting to a company other than Norton? Who is Qwest communications?

Personally, I've never been a conspiracy nut. I disdain the foil hat. But once you start looking into Qwest and its connections... man this thing just gets 58 different flavors of fishy.


Speaking of fishy, here's some info I came across from a blog keeping tabs on the situation:

Fascinating, they call it a simple update? It is not.

The program analyzed: http://anubis.iseclab.org/?action=result&a...amp;format=html

It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 67.134.208.160:80 is where PIFTS.exe asks to connect to.

Domain Name: SWAPDRIVE.COM

Administrative Contact:
Wallace, Marc
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
US
703-352-1578

www.webdatagroup.com

Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.

www.spoke.com...

"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."

It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 67.134.208.160:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.

Oh no folks, move along, certainly nothing interesting to see here!


Also from the same page we read that:

A new statement has been released, this time regarding exactly what PIFTS.EXE does. Here is the direct statement:

"PIFTS.exe or Product Information Framework Troubleshooter

This entry was created to answer the following key questions around PIFTS.exe:

- What is PIFTS.exe?
- What is the function of PIFTS.exe?
- What information does PIFTS.exe collect?

Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).

LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.

For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.

LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).

Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.

To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.

Product Information Framework Troubleshooter (PIFTS) executable details:

File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810

The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.

PIFTS.EXE does the following:

- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.

No additional information is collected, no personal information is collected, and no system modifications are made."


That's Symantec's official statement on their forum, but it doesn't quite jive with what an independent analysis of the program shows:

Now, if you run an analysis of PIFTS.EXE on http://anubis.iseclab.org/, it gives you this warning:

Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web

It seems contradictory, does it not? "No system modifications are made". Yet it changes the security settings of Internet Explorer?

Performs Registry Activities: The executable reads and modifies register values. It also creates and monitors register keys.

What's this? More changes to your system? Even if I don't know for exactly what reasons these changes are made, they still contradict the claim that "No additional information is collected, no personal information is collected, and no system modifications are made." Those sure look like modifications to me.


A user on the symantec forums posted:

If there's some sort of system call or function that's been compiled into the executable as part of a framework, it could trigger a report like that on an analysis program, even if the call itself is never actually made. This would really be quite common on many Windows programs. To really know what's going on we need a complete disassembled version of the program to see what calls it's making.


So we'll just have to see if anything more develops.

PIFTS as an aside, I would recommend against using Norton products simply for the way that they handled the initial inquiries on their forums (mass deletion of any and all discussion concerning it, which triggered a spam flood of PIFTS.EXE threads in an attempt to overwhelm the rate at which it could be censored) and due to them deliberately ignoring malware produced by the Feds (see: Magic Lantern).

#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:57 AM

Posted 11 March 2009 - 08:53 AM

Unfortunately, most people here do not understand programming. The reason why this program opens up so many of these folders is not because they are scraping the contents, but because the libraries and modules they are using to access the Internet automatically access them. I monitored all file access while running the program, and yes they did access the folders, but did not query the contents.

This is just conspiracy theory fodder at its best.

#13 Magic Lantern

Magic Lantern

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 11 March 2009 - 09:43 AM

Thanks for the clarification.

#14 demonluo

demonluo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 12 March 2009 - 02:05 PM

so is it save to use norton(i'm using NIS09 right now & nothing seem to be suspicious so far except can't exit the system tray since there r no option)?

#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:57 PM

Posted 12 March 2009 - 04:08 PM

As far as I can see, there is no harm in using it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users