“What is PIFTS.exe?” - How Symantec Turned A Simple Mistake Into Corporate Disaster

http://www.freebase.org ^ | 3/9/09 | http://www.freebase.org

[NewJerseyJoe]

"What is PIFTS.exe?" or How Symantec Turned A Simple Mistake Into Corporate Disaster.

First posted: March 9, 2009
Updated: March 10, 2009

---

On March 9, 2009, Norton Internet Security users around the world encountered a suspicious message which indicated that an unsigned program, PIFTS.exe, was trying to connect to the Internet. Users quickly turned to Google where they only found other users looking for the same answers. Next they began posting questions on the official Norton Internet Security message board.

Here is where the situation quickly deteriorated. Forum moderators began pulling every single post which mentioned PIFTS or merely alluded to it. Symantec realized that they had a problem on their hands and hoped that they could keep things quiet long enough to prepare a fix. But what they failed to comprehend was that their actions to cover-up their mistake created a fertile breeding ground for misinformation and conspiracy theories. A search for "PIFTS" on their site gave but one response: "Did you mean: gifts?"

As is often the case, Symantec's cover-up was much worse than the actual crime. They could have prevented this disaster by posting an official statement immediately, not an entire day after the fact. To make matters worse, when Symantec employee Dave Cole posted the official response he tried to brush aside the mass deletion of legitimate posts regarding PIFTS with this statement:

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

Dave Cole
Senior Director of Product Management
Consumer Products and Solutions
Symantec

I have documented just some of the legitimate posts which were deleted. Symantec committed a huge blunder here. They tried to justify their forum moderation techniques by citing out-of-control spamming. However, the spamming only began after word spread that Symantec had implemented a gag order on all things PIFTS. Had they clarified the problem from the beginning there would have been no stink of conspiracy. Instead they perpetuated the conspiracies and allowed bloggers and other message boards to take control of the conversation.

Unfortunately for Symantec the damage is done. An anti-virus and internet security company is built on trust and trust alone. Once users lose faith in a company it cannot exist (see Arthur Anderson). Only time will tell whether or not Symantec committed corporate suicide today. The lesson that other companies can learn from this is (a) if you make a mistake, admit it immediately and provide current information to your users and (b) allow discussions to exist on your message board or else the negative PR will hurt you more than the comments from unhappy users.

Sure, Symantec will fix the error but it won't matter to me. I've already uninstalled all of their products and will forever preach to others not to purchase Symantec products. Which brings me to my third lesson for other companies to learn from this: bad news travels much faster than good news.

If someone loses their job at Symantec I hope it's not the poor programmer who fried his brain with too much caffeine, but rather the executive who turned this mistake into a corporate disaster by failing to keep users informed and implementing a gag order.

---

Tip: If you want to prevent PIFTS.exe from sending information back to Symantec then add the following line to your C:\Windows\System32\drivers\etc\hosts file:

127.0.0.1	stats.norton.com

(If you do not have permission to edit this file then click Start and type Notepad. When you see Notepad listed right-click and choose Run as administrator. Then open the hosts file from Notepad).

---

Here is a recap of what happened prior to Symantec's woefully inadequate announcement explaining what happened and why they behaved the way they did:

---

Did you receive a Norton Program Alert for PIFTS? If so, you're not alone. But don't expect to get any answers from Norton or Symantec. They've been doing damage control all afternoon and into the evening. Now, this could be a benign program. But Norton's absolutely bizarre behavior has given this PIFTS file a life of its own.

Background

On Monday, March 9, 2009, my Norton popped up the following Program Alert window: PIFTS is attempting to access the Internet.
Program: PIFTS.exe
Path: C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt652\
The remote address is: 67.134.208.160 : http (80)

(I did a whois on that IP and it came back to SwapDrive, a company acquired by Symantec in June, 2008.)

A Conpiracy Is Born

Not recognizing the file, I decided to Google "PIFTS" but only found sites of other people looking for similar answers. A couple hours later a thread appeared on Norton's message board with some possible theories. But about an hour later that thread disappeared. I suspected this was because someone was bashing Norton. So I decided to post the following message with the username "WhatIsPIFTS":

I was following a thread here regarding an error message that many people got today and the thread was deleted.  So here is a new thread.

I have an expired version of Norton Internet Security. Today I received a program alert which said: PIFTS is attempting to access the Internet Program: PIFTS.exe Path: C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt652\ Date/Time: 3/9/2009 5:58 PM

This appears to be a Norton file of some sort. However, Norton does not offer any information about this file.

Here is what I gathered so far: -If you block this file's access to the internet then it might not be able to provide any updates to your Norton. -It might be related to another company that Symantec recently acquired.

If Norton or Symantec or anyone else can provide any info that would be greatly appreciated!!

I clicked the submit button but immediately I got this error message:

We're sorry, but you have been banned from using this site.

I suspected that they banned me because my password bashed Norton. So I created a new account called WhatsPIFTS and posted the same message again.

A few minutes later I reloaded my post and got this message:

The message you are trying to access has been deleted. Please update your bookmarks.

Shortly thereafter my new account was banned!

Something is going on here, people, and it's VERY DISCONCERTING for an anti-virus company to behave like this. Norton refuses to provide ANY information about PIFTS. Search their site and you'll find absolutely nothing. In addition they are deleting discussions from people who paid them money and want to know why a suspicious file is accessing the internet. The more they try to hide this information the more likely it seems that there is a MAJOR PROBLEM they are trying to cover up. They're going to have to come clean eventually but the damage has already been done. I hope the cover-up is worse than the initial crime and they go down in flames.

Why on earth Norton would go to such lengths to obfuscate any and all information on this file is beyond me. But they've done a great job at creating a breeding ground for conspiracies. Great job fellas! You've just lost my business forever, and hopefully the business of other users and potential customers.

Google Trends shows that pifts.exe was the 23rd most commonly searched term for March 9, 2009. Something is hitting the fan.

Keeping Norton "Honest"

Here are some seemingly innocent messages that were deleted from Norton's message board. The more messages they delete, the deeper the conspiracy gets!
What is Norton hiding and how long do they think they can get away with this?

---

I searched this forum but did not see PIFTS.exe. Any idea what this is? thanks,. Tartarus. Kudos!

---

This user obviously noticed the censorship and tried to alter his message to avoid deletion, to no avail.
User: Linksux
Title: So about this file.
Body: So yeah, its an exe that starts with a P, it ends ifts. Whats all this talk about it?

---

Symantec has taken their paranoia to a new level by deleting the following message. She didn't even mention PIFTS.exe by name.
User: Ladyfish
Hello!
I just got a pop up that a weird program is trying to get internet access.
Does anyone have the same problem?
Should I allow it or delete?

---

User: Ladyfish
Hi!

The other topic got deleted. One employee explained why:
Okay, so I can't name my exact problem, it seems my topic will be deleted if I do..? :smileysad:
In any case, does this mean the program is safe after all?
(please don't mention the program anymore, my topic will be deleted again!!)

---

Related Links:

analyses

• Malware Analys Report from Sunbelt CWSandbox
• Analysis Report of PIFTS.exe performed by Anubis.

articles:

• PCWorld.com Bad Symantec Update Leads to Trouble
• washingtonpost.com "Users Complain of Mysterious 'PIFTS' Warning"
• howstuffworks.com "What is PIFTS.exe?"
• telegraph.co.uk Internet conspiracy theories abound over Symantec Pifts.exe file

blogs:

• crunchgear.com Symantec, what's PIFTS? Please don't delete this!
• Graham Cluley's blog The mystery of Symantec and PIFTS.EXE
• tech-linkblog.com "Conspiracy theories run rampent due to PIFTS.EXE"
• theinquirer.net African executable raises Symantec hackles
• chrysler5thavenue.blogspot.com "What is PIFTS and why is Symantec covering it up?"
  
• javamex.blogspot.com "What is the mysterious PIFTS.EXE?"
  
• www.abovetopsecret.com "Tech Fears Arise Over Norton and Pifts.exe"
  
• thetechherald.com Symantec explains PIFTS and debunks conspiracy theories (Update)

forums:

• bleepingcomputer.com "Debunking the Norton pifts.exe conspiracies"
• slashdot.org "Norton Users Worried By PIFTS.exe, Stonewalling By Symantec"
• experts-exchange.com "what is pifts.exe? System? Threat?"
• ZoneAlarm "PIFTS.exe"
• reddit.com Symantec covering up the PIFTS.exe file and deleting questions on their forums??
• abovetopsecret.com "Tech Fears Arise Over Norton and Pifts.exe"
• Anyone know what PIFTS.exe is?
  

encyclopedias:

• Wikipedia PIFTS.exe
• encyclopedia dramatica PIFTS.exe

[hugorand]

What a nightmare. I’m so glad I switched to a Mac and don’t have to spend valuable time with Norton Internet Security, etc...

[Frantzie]

Free Anti-virus programs you can download:
AVG or Avast

Low Cost $29 for use on 3 machines:
PC Tools Spyware Doctor & AntiVirus

PC Tools turned out to be fast and excellent. I usually have had good luck with AVG and Avast but PC Tools fixed a virus problem the others had a bit of trouble with.

[FReepaholic]

...A search for "PIFTS" on their site gave but one response: "Did you mean: gifts?"...

Symantec's KB search function is pathetic at best.

[Star Traveler]

Yep, but I’ve still got “Little Snitch” to watch my outgoing connections... :-)

[OneWingedShark]

>Symantec’s KB search function is pathetic at best.

LOL - That’s funny.

[hugorand]

I’ve still got “Little Snitch” to watch my outgoing connections... :-)

Me too! And, unlike Norton, it doesn't use massive amounts of CPU and Memory :)

[ItsForTheChildren]

Best thing I ever did for my system was get rid of that Symantec crap.

[evilC]

ZOT!

:)

[Bloody Sam Roberts]

Only time will tell whether or not Symantec committed corporate suicide today.

I hope they did. Their products blow chunks.