PIFTS.EXE

There is virtually no information on the internet yet regarding a mysterious program called PIFTS.exe, aside from what's posted on this blog. Symantec, makers of the bloated Norton Anti-Virus software, are deleting any mention of PIFTS.exe from their community forums.

The topic is being discussed at forums.zonealarm.org.





UPDATE (02:36 10 March 2009): A google search for PIFTS.exe turns up a link to www.kanzlei.biz/uploads/tf/index.php?family-guy-season-7-episode-8/, a nefarious looking website that I suggest you not go to unless you know what you are doing. The site contains javascript which may be malicious. Here's a screen capture from one of the pages on that site.




UPDATE (03:56 10 March 2009): In our comments, thepipermethod says the kanzlei.biz website is just mirroring key words from google trends, which at this time includes the terms "PIFTS" and "EXE" and that the site has no other relation to PIFTS.exe.

At zonealarm.org, one person reports talking with various representatives of Symantec for two hours without receiving any answer as to why inquiries posted on the Symantec forums were being deleted. The caller was told that PIFTS.exe is part of Symantec's update installation process, was denied any further information regarding the purpose of the file and was repeatedly transferred to a new representative when asking why inquiries about PIFTS.exe were being deleted from Symantec's forums.




UPDATE (10:42 10 March 2009): There is speculation that this is part of the FBI's secret Magic Lantern software. From Wikipedia:

Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions."

Some people are reporting that the Norton forums have been taken offline. There is no information posted anywhere yet regarding what this program does.




UPDATE (11:10 10 March 2009): It's being said that PIFTS.exe contacts an IP address in Africa.




UPDATE (11:50 10 March 2009): This site has links to copies of the PIFTS.exe file which you can download. I can not vouch whether the files are authentic or not.

There is contradictory information about what actual IP address the program is contacting.



UPDATE (12:02 10 March 2009): Apparently digg.com is also covering this story up. 242 diggs and it's not on the front page.

There's a good discussion of this on slashdot.org, a web 2.0 social networking site for techies. The Washington Post and The Register are covering this as well.




UPDATE (14:45 10 March 2009): More details on Digg's cover up of the PIFTS.exe story here. The coordinated opposition to this story tells us that we are on the right track.




UPDATE (16:22 10 March 2009): Symantec has finally issued a statement on PIFTS.exe. Symantec claims that it was just a patch to their software that was accidentally released "unsigned." The company also alleges that inquiries regarding the matter on their forums were deleted because many people made posts about it:

One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec.

It is interesting that there is no accounting for why the first post was deleted along with every single other mention of the issue. It is also worth noting that Symantec refers those customers of theirs who promptly wanted to know what this "unsigned" piece of software was as "spammer(s)" whose intent "remains unclear."