SCI: Tech Fears Arise Over Norton and Pifts.exe

One of the /b/tards over on 4chan stated that P.I.F.T.S. is an acronym for Personal Information File Transfer System. He goes on to suggest that Symantec has been hacked, and someone is using Norton to extract personal data from symantec customers.
True or not, thisdoes make a lot of sense, and would explain why Symantec is going to such great lengths to destroy any mention of "Pifts.exe"

any thoughts?

reply to post by nikmti


Would have to be a hell of a hacker to break an Antivirus company's link to it's software.

They'd go away for years if they were caught.

Originally posted by RFBurns
Whats their problem? How can they sue your site just for talking about some exe file?

What do your attourneys say about it?


Cheers!!!!

I take it this is aimed at me. If you read my post further you would've noticed that I was just joking (adding fuel to the fire). My apologies for causing any confusion.

Wow, it's rather amusing to watch the Norton forums:
community.norton.com...

and see new threads there getting immediately deleted. Someone's pulling an all-nighter.

Originally posted by Gemwolf

Originally posted by RFBurns
Whats their problem? How can they sue your site just for talking about some exe file?

What do your attourneys say about it?


Cheers!!!!

I take it this is aimed at me. If you read my post further you would've noticed that I was just joking (adding fuel to the fire). My apologies for causing any confusion.

Ahh well its cool, no worries.

2nd line

Cheers!!!!

Originally posted by Ian McLean
Wow, it's rather amusing to watch the Norton forums:
community.norton.com...

and see new threads there getting immediately deleted. Someone's pulling an all-nighter.

I'd say, if they are that panicked by all this interest in the file, that they would have noticed this thread now too.

Nortons have no power over ATS, so it would be amusing to see if they tried to find a way to take down this topic too.

ATS is a dishonest company's worst nightmare.

Originally posted by nikmti
One of the /b/tards over on 4chan stated that P.I.F.T.S. is an acronym for Personal Information File Transfer System.

That really sounds like a "backronym". I doubt it would really stand for something like that.

Interesting point to note that there is apparently another file, called "pifsvc.exe", that is involved with Norton "live update". Not to be confused with "pifts.exe". Perhaps the "pif" prefix is some kind of abbreviation used by the Symantic software developers.

Originally posted by staple
Norton is going to get caught with its pants down....
I cannot wait to see how this pans out.

Ha couldnt happen to a worse company!

Symantec has been putting this cruddy software on PC's for years and ripping people off with its exorbitant price.

Maybe its karma catching up with them..

Has anyone posted to Slashdot yet asking about this file? See if they delete the post like everyone else.

I'm downloading a trial of norton's to run on a VM inside of Linux. I want to see for myself.

This looks like a joke, which would explain why Norton is deleting the posts. This would also explain why tech support doesn't know what's going on.

[edit on 10-3-2009 by -Jaguar-]

Interesting string from PIFTS.EXE:

d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb

A PDB, or "Program Database" file, is a separate file that is created when a C/C++ program is compiled by Microsoft Visual C++. It contains debugging information, and is usually not distributed with the EXE file.

This fully-qualified path to the PDB seems to indicate that PIFTS.EXE belongs to a set of 'patch' tools. It's unknown whether the Perforce depot (a source code version control system) that's referred to in the path is Symantic's.

Looking further at the EXE, this is a C++ STL program, console mode, compiled with Microsoft C++. Of interest is the 'imports' section, which allows the program to connect to operating system functions. It seems fairly simple, there's find/load/lock resource, which allows information in the resource segment of the EXE file to be accessed by the program, various file functions such as getting timestamps, creating and writing to files, registry access functions, some OLE automation, and interestingly, access to InternetOpen APIs provided by wininet.dll.

At first, and very brief glance, this would appear to be a program that connects to the internet and downloads files, writing them on the local machine. That's consistent with the depot naming of this as some kind of 'patch' tool. (That's just speculation, without a controlled analysis in a virtual machine.)

Of course, what is downloaded, why, and what that does, is a mystery - and Symantic's response (or lack thereof) to questions in this situation is quite suspicious.




[edit on March 10th 2009 by Ian McLean]

reply to post by -Jaguar-



Rofl, this is no joke mate... this is serious stuff :| have you bothered to check pifts.exe?

I have Norton and so does a friend, neither of us have had this window popped up.

Does it only pop up on a certain version?

I don't run Norton.

If it actually happened, then either Norton's servers were compromised (unlikely) or this is an update gone wrong.

The reason tech support doesn't know what is going on is because this is something new and it just happened. The people who are knowledgable enough to answer are now being woken up and finding what the problem was or is. After they figure it out, they will update tech support.

Posts on Norton's forums are now being deleted because people are just spamming to be funny. Why the first posts about it were deleted, that's interesting.

Originally posted by -Jaguar-
I don't run Norton.

If it actually happened, then either Norton's servers were compromised (unlikely) or this is an update gone wrong.

The reason tech support doesn't know what is going on is because this is something new and it just happened. The people who are knowledgable enough to answer are now being woken up and finding what the problem was or is. After they figure it out, they will update tech support.

Posts on Norton's forums are now being deleted because people are just spamming to be funny. Why the first posts about it were deleted, that's interesting.

I doubt they're spamming to be funny, they're spamming to get answers!

I'm thinking about posting myself...

Wouldn't be the first time for a corporation to install something covertly the Sony root kit fiasco comes to mind as the worst example I can remember but I don't think everyone should jump to conclusions as yet it could well be something innocent.

The forum posts being deleted and posting bans are suspicious though I admit that immediately made me think of policeware/Gov Spyware although that's a big jump and it's unlikely they would make it so obvious. Another possibility is some type of authorization check but it might just be a change to the updater or something related.

My opinion at the minute is it's probably nothing to worry about but then again I wouldn't personally install a Symantec product I find them bloated, expensive and in my experience anyway worthless at what they are meant to do.

Just made an account on Norton and posted about pifts.exe. I decided my tactic would be to spam there boards with it, so that even if someone only saw it for a few seconds, they would still know what was going on. My message read:


NORTON ARE COVERING UP PIFTS.EXE!!!!!!!


This thread will be deleted shortly, just watch.


There's a conspiracy going on here. They don't want anybody discussing pifts.exe


COVERUP !!!!!!!!!!!!

COVERUP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


NORTON IS COVERING SOMETHING UP!!!!!!!!!!!!!!!!!!!!!!!!!!


PS: Hey mod, **bleep** you for deleting this thread, you're a sheep who likes following orders, enjoy your pathetic life.

-------------------------------------------------------------


The post was deleted within minutes.

I decided to stick around and do some more spamming and was glad to see that our "friends" at 4chan are currently raiding the norton forum feedback section. It's nice to see that Anon are sometimes useful, they do enjoy to spam things after all.

Here's a screenshot of some Anon pifts spam.





That ought to keep the Norton mods busy.


Can't wait to find out what the truth is behind this mystery.

[edit on 10-3-2009 by Pompkinini]

This issue is beginning to self generate, some contributors to the Norton forum are now linking back to ATS and this thread as definitive proof of some major conspiracy.

I'd give you a link but the threads are getting zapped immediately.

Here's a link to the Norton community forum ... if you keep refreshing you'll see a "pifts.exe" thread appear (and disappear) every few minutes.

Norton Forum

reply to post by allsop


Just because the file exists doesn't mean this is all couldn't be a joke. That file could have always been there. Somebody just decided to make everyone paranoid and make a post about it. Because the board this story orginated from allows anonymous posting, it could easily be one person making most of the comments.

The people now examining the file, I suspect, have no real idea what they are looking at or looking for. Try to decompile any program or open it in a hex editor and you will find wierd stuff.

People are spamming the Norton forums, that's why posts keep getting deleted. If I were them I would just lock the boards for a couple hours.

ATTENTION: PLEASE DO NOT SPAM OTHER SITES!

We don't advocate spamming of other sites, nor do we "boast" about it. I doubt if spamming/upsetting the Norton mods will get any answers (sooner). Should you decide to spam Norton in any case, please don’t bring it over to ATS as board wars are forbidden in the Terms & Conditions Of Use

2g.) Board Wars: You will not use these boards to organize "attacks" on other boards, blogs, or discussion groups, and similarly, you will not organize such attacks against this board. Doing so will result in removal of your post(s) and immediate termination of your account.

Edit: Clarity

[edit on 10-3-2009 by Gemwolf]