Yesterday we reported on an Internet scare over a file called PIFTS.exe that was part of a Norton 360 update. The rumors ran wild about what this file was for, the meaning behind it and who it was reporting to.
In the end there were and still are few real facts known about this file.
Here is a list of things we know for certain:
-The file was created on March 4th 2009, it was inside the update to Norton Anti-Virus (most notably Norton 360) sent out on March 9th 2009.
The file was named PIFTS.exe
-PIFTS.exe when decompiled apparently contained a large amount of padding.
The file appeared to be calling the GoogleDesktop dlls (G O E C 6 2 ~ 1 . D L L)
-In addition to the GoogleDesktop calls PIFTS also gathers information from your temporary Internet Files, Cookies, Temps files and registry information
-The file was sending the gathered information to a site called stats.norton.com which actually points to a SwapDrive IP 184.108.40.206:80; SwapDrive is a division of the Web Data Group based in Arlington, VA and was recently purchased by Symantec
-Customers with Norton 360 and ZoneAlarm began receiving prompts asking if they wanted to allow PIFTS.exe access to the internet early on March 9th
-Postings to Norton's Website were quickly deleted and many users found themselves banned by IP after even a single post asking about it. (Norton later claimed this was due to Spam although the spam did not start till many hours later)
- Norton also, at one point, blocked the word PIFTS from use on the forum. Posts with the word and user names containing the word were not allowed. This points to Norton Mods and Admins adding PIFTS to their word filters deliberately (as of this writing the username filter is still in effect)
-A member of the 4Chan group caught this and reported it where it quickly spread around the internet.
-4Chan and other Anon posters began heavily spamming Norton's forum (the spamming was not helpful at all)
An analysis of PIFTS.exe by Anubis can be found here
There is much speculation over what PIFTS was really doing, no one but Symantec knows. The number of conspiracy theories is astounding and range from an NSA/FBI/CIA plot to mine data to Military Intelligence gathering.
Below are links to Norton's forums with official explanations (released a little more than 24 hours after the initial incident) you can decide for yourself if they hold water. I have also included a link to Above Top Secret, which has one of the more active threads and also has some informative information on the file (including several links to the actual coding).
The PIFTS.EXE binary was released through LiveUpdate targeting 2006 and 2007 products. After downloading the LU package, LU executes PIFTS.EXE, and PIFTS.EXE collects product state information, and reports this information to Symantec.
PIFTS.EXE does the following:
- Determines what product is installed, NIS, NAV, N360, NCO, or NSW, by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of the installed product by looking at the file version information of a key product file.
- Determines if PIF is installed by looking under the HKLM\Software\Symantec\InstalledApps registry key.
- Determines the version of PIF by looking at the file version information of two key PIF files.
- Determines if PIF is enabled, and what the PIF state is, by looking at the PIF registry under HKLM\Software\Symantec.
- Determines the version of PIF that LiveUpdate believes is installed, by reading the LU catalog.
- The collected information, as described above, is reported to a Symantec server, called stats.norton.com, using an HTTP GET request. This server is located at a Symantec datacenter located on the East Coast of the United States.
No additional information is collected, no personal information is collected, and no system modifications are made.
Quote from Norton Forums