Hi everyone,

Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue. 

There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation.  At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts. These forum posts contained no text in the body of the message, simply a subject:

• O LAWD IM CHOKIN ON PIFTS PLZ HALP
• OH GOD YOU GOT CHOCOLATE IN MY PIFTS
• If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
• IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
• PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
• I LOVE MY PIFTS.EXE

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware.

The spammers also chose to use the comment area on my blog. I was very reluctant to turn comments off this morning but when the number of comments grew to over 100 and began to include profanity and sexual material, it was time to take action. (We have to keep this site family friendly!)

I assure you we will be turning commenting back on but will continue to monitor any possible future signs of abuse, in accordance with our forum terms of service. I apologize for any inconvenience this situation may have caused.

Tony Weiss
Norton Forums Community Manager
Symantec Corporation

PIFTS.exe or Product Information Framework Troubleshooter

This entry was created to answer the following key questions around PIFTS.exe:

- What is PIFTS.exe?
- What is the function of PIFTS.exe?
- What information does PIFTS.exe collect?

Norton security products contain a component called Product Information Framework (PIF), and a feature called LiveUpdate Notice (LUN).

LUN is an in-product messaging mechanism that is used to notify customers when new product versions are available. The messaging is targeted to particular systems based on product version, operating system version, and product state, and this state is determined by the PIF component.

For instance, LUN was used to notify users when a Vista compatible version of their product became available, and LUN will again be used to notify users when a Windows 7 compatible version of their product becomes available.

LUN is fully integrated into 2008 and later products, but is a standalone component in 2006 and 2007 products. LUN became available after the 2006 and 2007 products shipped, and was added to the 2006 and 2007 products using LiveUpdate (LU).

Symantec is aware of a problem affecting some 2006 and 2007 products where a subsequent PIF update did not successfully apply. The cause of this problem is currently under investigation, but the result is that these users may not receive appropriate LUN messaging.

To assist with identifying the extent, and potential cause, of the problem, Symantec created an investigative executable that analyzes the Norton product state, and reports the details to Symantec. This information will help Symantec to identify and correct the problem with PIF, in time for the Windows 7 release.

Product Information Framework Troubleshooter (PIFTS) executable details:

File name: PIFTS.EXE
File size: 102400 bytes
MD5 hash: 91b564d825a3487ae5b5fafe57260810

The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.

PIFTS.EXE does the following:

- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.

No additional information is collected, no personal information is collected, and no system modifications are made.

PIFTS.EXE and User Information Disclosure and System Changes

There are numerous reports claiming that PIFTS.EXE collects and submits user data, specifically reading of IE browser cookies, and claims that PIFTS.EXE makes system modifications, specifically changes IE settings, and further reports that these claims are substantiated by automated analysis systems.

PIFTS.EXE uses the Microsoft Windows InternetOpenURL() API to submit the collected PIF state to Symantec. The InternetOpenURL() API internally reads various system configuration settings, including  Microsoft Internet Explorer settings and files, and can also result in changes to the IE cache and temporary files folders.

PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec.

To demonstrate the InternetOpenURL() API behavior, I created a small application called TestPIFTS.EXE. This is a Windows application, written in C++, and compiled using Visual C++ 9.0 SP1. The application does nothing more than open a URL on the Symantec web server.

The full source code and binary is available for download, here is a summary:

szAgent = _T("TestPIFTS");
szURL = _T("http://www.symantec.com/index.jsp");
InternetOpen(szAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
InternetOpenUrl(hInternet, szURL, NULL, 0, 0, 0);
InternetCloseHandle(hURL);
InternetCloseHandle(hInternet);

To analyze the TestPIFTS.EXE behavior you may use a variety of forensic and troubleshooting tools, including the Microsoft Process Monitor utility used to observe system modifications, and the Microsoft Network Monitor utility used to observe network communications.

Using Process Monitor you will notice that TestPIFTS.EXE reads lots of registry keys, reads lots of files, and makes some changes to the IE cache and temporary files folder. Using Network Monitor you will notice that TestPIFS.EXE generates a HTTP GET request to the www.symantec.com server. All the system and network activity is a result of using the InternetOpenURL() Windows API.

Some of the reports substantiate their claims based on the automated analysis of PIFTS.EXE by the Anubis server. For comparison, I submitted the harmless TestPIFTS.EXE binary to the Anubis server for comparative analysis.

The Anubis analysis of PIFTS.EXE and TestPIFTS.EXE (the application that does nothing more than open a URL on the Symantec web server) produces the same results, including the modification to the system. Yet, the TestPIFTS.EXE source code clearly shows no system modification or data collection is taking place.

PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec.

Here are the reports for PIFTS.EXE and TestPIFTS.EXE:

http://anubis.iseclab.org/?action=result&task_id=19d7659347c3ebcd4a5ba7e9faa60fa14&format=html
http://anubis.iseclab.org/?action=result&task_id=1d8f441c76d1d36a4715d60ff7d34dfd5&format=html

The Anubis analysis of PIFTS.EXE and TestPIFTS.EXE (the application that does nothing more than open a URL on the Symantec web server) produces the same results, including the modification to the system. Yet, the TestPIFTS.EXE source code clearly shows no system modification or data collection is taking place. I could also not reproduce the Anubis system registry modification results using Process Monitor.

PIFTS.EXE does not directly read any user data, PIFTS.EXE does not directly make any system changes, and PIFTS.EXE does not transmit any user data to Symantec.

References:

http://msdn.microsoft.com/en-us/library/aa385098(VS.85).aspx
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
http://blogs.technet.com/netmon/
http://anubis.iseclab.org

PIFTS.EXE and LiveUpdate Notice

We received reports of PIFTS.EXE updates on systems where no Norton Internet Security or Norton AntiVirus 2006 or 2007 products were installed. We investigated the situation and now understand how this  happened.

With Norton Internet Security and Norton AntiVirus 2006 and 2007, LiveUpdate Notice and LiveUpdate are also separately installed. In some situations when uninstalling or upgrading the product, LiveUpdate Notice and LiveUpdate were not successfully uninstalled and may have remained behind even after the product was uninstalled on customers’ systems. Therefore, it’s possible that systems that still had LiveUpdate Notice and LiveUpdate, but no product, may have received the PIFTS.EXE update.

LiveUpdate Notice and LiveUpdate are the mechanisms used in Norton products to push out product patches and new malware definitions.  No personal user information is captured or sent out. 

If you no longer have a Norton product installed and want to uninstall LiveUpdate Notice and LiveUpdate,  you can easily remove them through the Add/Remove Programs function in Windows .

We’re aware that older Norton products did not cleanly uninstall. Improving the installer speed and reliability was a primary focus for Norton Internet Security 2009, Norton AntiVirus 2009, and Norton 360 v3.  The installer has been fully rewritten for our current versions, resulting in a reliable, integrated, and clean uninstall of the product, including LiveUpdate Notice and LiveUpdate.

The Norton Community Forum only just came out of beta with the release of Norton 360 v3.0 on March 4th 2009. During its months in beta, it never experienced such a massive attack as it did during March 9 – 10, 2009. The ferocity of these attacks was surprising as employees posting on the forums have always been transparent with issues and open to criticism.

So to give Symantec staff a better understanding of how this played out and to find areas where processes could be improved upon, the following list was compiled.

I have been given permission to share the list with you. Much of our success has been built on trust. We focus on our customer’s needs and experiences. These types of attacks help no one, particularly the customers who really need assistance.

I hope this list will help shed some light on what we were up against.

Cheers,
Tony

03-09-2009 19:30 EDT through 03-09-2009 22:40 EDT – PIFTS.exe was posted to the LiveUpdate server.

03-09-2009 20:44 EDT – The first post made to the NIS forums concerning PIFTS.exe:
“What is PIFTS.exe ?”
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39984#M39984

03-09-2009 22:20 EDT – 18 replies to the original thread had been posted. With the exception of one user, all replies were from users whose accounts were created minutes earlier. Additionally, the original post had received ~4,500 views by this time.

03-09-2009 22:25 EDT – Lithium moderation contacted the Forums Administrator about this issue, since several threads were created with the “What is PIFTS.exe ?” subject. The Forums Administrator agreed that the Lithium team should change the unusual threads to READ ONLY, and merge them together for removal.

03-09-2009 22:38 EDT – Another thread was created on the NIS boards:

“PIFTS.EXE”
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=40002#M40002
This thread too had an unusually high view number, and was created and replied all by users who created accounts a minute before posting. This thread was also merged with the “What is PIFTS.exe ?” thread.

03-10-2009 00:00 EDT – The forums had received 54,726 page views between 21:00 and 23:59 hours, twice the page views normally received during USA business hours.

03-09-2009 2300 EDT through 03-10-2009 0400 EDT – only 5 threads per hour were posted regarding PIFTS.EXE to the forums.

03-10-2009 02:23 EDT – Forum Gurus and Symantec Employees are sent Personal Messages (PM) through the forum from some of the users concerning PIFTS.exe

03-10-2009 02:30  EDT  - Personal Message system was taken offline, to avoid any spamming of the PM system (much more manual process to clean)

03-10-2009 04:00 EDT – 30 threads were posted on this subject during the hour, all by new users. The subjects and content varied. Most were humorous subject lines – popular expressions with “PIFTS” inserted into them. Others were obscene and vulgar posts. None contained any real substance, and were clearly intended to spam the site. These were removed immediately.

03-09-2009 05:00 EDT through 03-10-2009 11:30 EDT – averaging 12 posts per minute in PIFTS spam.

03-10-2009 09:15  EDT – Symantec Public Relations and the PIFTS product team were advised of the situation.

03-10-2009 11:30  EDT – Meeting of representatives from various Symantec teams to discuss the actions taken so far and the next steps to resolving this issue.

03-10-2009 12:54 EDT - Personal Message system was put back online.

03-10-2009 14:45 EDT – Marian Merritt’s blog comment setting was disabled, as the spammers were adding spam comments to her blog posts.

03-10-2009 15:42 EDT – Dave Cole posted an announcement explaining PIFTS to users.
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39119#M39119

03-10-2009 15:42 EDT – Tony Weiss opened a discussion thread for PIFTS in the NIS board.
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123

03-10-2009 16:39 EDT – Marian Merritt posted a reply to the original announcement, stating that her Blog comments would be temporarily disabled:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39156#M39156

03-10-2009 17:40 EDT – Marian Merritt’s blog comment setting was enabled.

03-10-2009 19:14 EDT – Tim Lopez posted a message to reassure people that we will be following up with further information.
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39245#M39245

03-10-2009 19:33 EDT – Tim Lopez posted a second message defending his previous post.
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39254#M39254

03-10-2009 21:28 EDT – Tony Weiss posted supplemental information, clarifying the server info for PIFTS:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39285#M39285

03-10-2009 22:59 EDT – PieterV posted his Technical response to the PIFTS announcement:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39302#M39302

03-11-2009 18:11 EDT – PieterV posted additional technical information to the PIFTS announcement:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39665#M39665

03-11-2009 19:00 EDT – Tim Lopez posted a message explaining why threads about PIFTS.exe were being deleted:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39694#M39694

03-12-2009 19:11 EDT – PieterV posted more technical information regarding the distribution of PIFTS.exe to the PIFTS announcement:
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=39964#M39964

(Edited to fix a typo in a date.)

Tony Weiss
Norton Forums Community Manager
Symantec Corporation

Dave Cole has also posted to the Norton Protection Blog with additional information about the PIFTS.exe situation:

http://community.norton.com/t5/Norton-Protection-Blog/Chocolate-Covered-PIFTS-X-Files-amp-Mea-Culpas/ba-p/76311#A285

Tony Weiss
Norton Forums Community Manager
Symantec Corporation