Sponsored by..

Tuesday 10 March 2009


Well, this is interesting. Users of Norton Antivirus are finding an application calls PIFTS.EXE that is try to call out. But every time anyone posts a query on the Norton support forum, it gets deleted immediately (see this search).

PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:

  • http://stats.norton.com/n/p?module=2667
  • The ping url is %s PATCH021809DB
  • d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
  • SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
When run, it calls home to the following URL: http://stats.norton.com/n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 hosted on at Swapdrive in Washington. Swapdrive is owned by Symantec, who make Norton.. so there's nothing suspicious there.

One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.

PIFTS.EXE appears to be contacting a statisitical tracking server, possibly to report back on the installed version. Perhaps this violates Symantec's privacy policy, perhaps it's part of the testing process that was accidentally included in the update.

Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.

VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.


Unknown said...

The conspiracy theories are getting out of hand. Someone posted a topic disputing these theories and explaining why the executable has the paddingxxx in it. Found the story here:

Debunking Norton pifts.exe conspiracies

Conrad Longmore said...

Symantec have a statement here.

You do see false positives and bad updates from AV vendors from time-to-time. What happened here was a PR disaster though as Symantec attempted a cover-up.

Unknown said...

Hi guys

Emma here from Symantec, makers of Norton. Just to let you know that this was a human error, now rectified, and you are fully protected and do not need to take any action as a result of this issue.

Details are here: http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39119

Essentially, Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 – 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution.