Pifts: Difference between revisions

From /i/nsurgency W/i/ki
Jump to navigationJump to search
← Older editNewer edit →
Line 2: Line 2:


==== CONTACT ====
==== CONTACT ====
#Pifts.exe @ irc.freenode.net
#Pifts.exe @ irc.freenode.net ---> MOVED TO: #pifts @ irc.annonnet.org
#Pifts.exe_misinfo @ irc.freenode.net
#Pifts.exe_misinfo @ irc.freenode.net


Revision as of 19:40, 10 March 2009

PIFTS.exe accesses your Internet History, Temporary Internet Files and Google Desktop. It appears to be tracking your searches. Norton is deleting all comments about it on their forums, and they were being deleted on Yahoo! Answers as well.

CONTACT

  1. Pifts.exe @ irc.freenode.net ---> MOVED TO: #pifts @ irc.annonnet.org
  2. Pifts.exe_misinfo @ irc.freenode.net

DATA

http://pastebin.com/m1e207a78 http://www.mediafire.com/?mnmh35b9d0k http://www.megaupload.com/?d=HV4TFAJJ PIFTS.exe disassembled http://anubis.iseclab.org/?action=result&task_id=19d7659347c3ebcd4a5ba7e9faa60fa14&format=htm (srs website wondering wtf the file is)

MEDIA

http://it.slashdot.org/article.pl?sid=09/03/10/139229 (WIN!) http://digg.com/software/What_is_PIFTS_and_why_is_Symantec_covering_it_up http://digg.com/software/What_is_PIFTS_and_why_is_Symantec_covering_it_up? http://www.reddit.com/r/reddit.com/comments/83hjr/symantec_covering_up_the_piftsexe_file_and/ http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html http://www.abovetopsecret.com/forum/viewthread.php?tid=444230 http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19880 http://community.norton.com/norton/board?board.id=nis_feedback (Norton Internet Security / Norton AntiVirus Forums) http://chrysler5thavenue.blogspot.com/2009/03/piftsexe.html

http://gigazine.net/index.php?/news/comments/20090310_pifts_exe_norton/ (japanese tech blog picked up on the story) http://translate.google.com/translate?prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fgigazine.net%2Findex.php%3F%2Fnews%2Fcomments%2F20090310_pifts_exe_norton%2F&sl=ja&tl=en&history_state0= (tranlation to english)

http://questionbox.jp.msn.com/qa4784219.html (MSN Japanese post about it a tech help section of there site. site is regional it seems) http://74.125.113.132/translate_c?hl=en&ie=UTF-8&sl=ja&tl=en&u=http://questionbox.jp.msn.com/qa4784219.html&prev=_t&usg=ALkJrhj_g1aRvBSFwp1sJVA-YQdRZzE57A (tranlation to english)

http://pc11.2ch.net/test/read.cgi/sec/1235400043/642n (2ch BBS discussion begins) http://74.125.113.132/translate_c?hl=en&ie=UTF-8&sl=ja&tl=en&u=http://pc11.2ch.net/test/read.cgi/sec/1235400043/642n&prev=_t&usg=ALkJrhiCZNufy_SmBRfQwdAdMczO0v2whQ (tranlation to english)

http://forums.shoryuken.com/showthread.php?s=8861e008de41ff5bc2c71247750de8d3&p=6268378 (discussion about pifts.exe and Steve Gibson's podcast, Security Now! podcaster. Users hoping he can explain wtf the file is all about)

IMAGES

http://img220.imageshack.us/img220/9219/tcpview.jpg -- A cap of pifts trying to access the internet, taken in the second or so it displayed. http://img18.imageshack.us/img18/8581/pifts.gif http://img3.imageshack.us/img3/3863/pifts2.gif http://img142.imageshack.us/img142/750/1236680748455.jpg (properties of a file in a update directory, unconfirmed if it's the real file or just a faker trying to get attention, I suspect it is the real one) http://img5.imageshack.us/img5/6486/1236683072542.jpg (info about pifsvc.exe which seems related) http://gigazine.jp/img/2009/03/10/pifts_exe_norton/pifts01.png (/b/ having some fun, but there was lots of legit posts about pifts.exe before they got there) http://img111.imageshack.us/img111/6922/registeration.jpg (taken at http://community.norton.com/norton/user_signup that's some wired shit going on, those mod should get fired.

RELATED

pifsvc.exe (process info for LiveUpdate Notice Service) may be related in purpose to pifts.exe since they both are named with P I F which is in the windows registry of computers with norton installed. links: http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=%22pifsvc.exe%22&btnG=Google+Search

OTHER IDEAS

Anonymous 03/10/09(Tue)06:29:36 No.122551388 (from /b/) 

   Anon, I propose a war. A war unlike any others. Please, hear me out.

   A wise anon posted this.

   >Ummm, shouldn't we be fanning these flames of mistrust into ever greater fear and ultimately rage?

   >I mean, shouldn't we harness this to cause damage to someone, which would be Symantec's reputation I guess.

   >Anyway, this thread seems just too passive. When there is something unusual and possibly scary, but probably not, I think we should give it a nudge into horrifying paranoia.

   >I like the North African IP thing. What would sound scary there? Al Qaeda in Eritrea? A new Al Qaeda online cyberterror front that has designs on stealing people banking details and identities for use in funding and upplying terror ops? Did they have a spy named Arun at Symantec? Arun [make up good sounding arab surname] of Al Qaeda in Eritrea?

   This got me thinking. He's right, on one hand we've got everyone looking to norton for an explanation and everyone else searching the internets for the string "pifts.exe". I say we start making claims. We blow this out of proportion. IMO the best way to go about this is is by coming up with a few "facts" and then every anon can string them together however they like.

   continued in next post

>>Anonymous 03/10/09(Tue)06:30:00 No.122551434 

   part 2

   We'd be posting on the forums as someone said in another post.

   >We're joining in the game a little bit late so we will want to plan ahead. Everyone needs to make accounts on their forums. If we just raid it as is they'll probably stop allowing new accounts and just block the already made accounts from being able to post (seems to be their current tactic). So how about we start the raid in two hours? Does that seem like enough time for everyone to make accounts? We don't want to give them enough time to come up with a story that will calm everyone down.

   >Remember, we're like the 300 spartans, the whole internets is practically raiding them right now, but we're the only ones who know what the fuck we're doing.

   Also, we'd be making blogs and shit which we would be linking to for our sources. The more blogs we have and the more interlinked they are the harder it will be to disprove (think religious circular logic). Blag A cites Blog B which cites Blog C and A and so on and so forth.

"Magic Lantern is keystroke logging software developed by the United States' Federal Bureau of Investigation.

Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions." --Anonymous

There is some discussion that Pifts.exe may be a keylogger program, a modified version of Magic Lantern [ http://en.wikipedia.org/wiki/Magic_Lantern_(software) ]

COPYPASTAS =

Apparently something big is happening. A mysterious program known as pifts.exe is attempting to contact a server in Africa and seems to be associated with Symantec's anti-virus system, Norton. There is virtually no information on the internet regarding pifts.exe, aside from <a href="http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/">this blog</a> and threads <a href="http://www.abovetopsecret.com/forum/thread444230/pg1">such as these</a>. Symantec are supposedly deleting any mention of pifts.exe from their community forums and so users have moved to <a href="http://forums.zonealarm.org/zonelabs/board/message?message.uid=443981#U443981">ZoneAlarm's Forums</a>.

Magic Lantern is keystroke logging software developed by the United States' Federal Bureau of Investigation.

Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions."


P.I.F.T.S. Public Internet and File Tracking System It goes offshore because there's no law forbidding sending it to foreign governments. If governments want to spy on their own citizens, it is normal for them to have foreigners do it in order to get around normal restrictions about spying on their own people.


CHAT LOGS FROM LIVE SUPPORT

All this info is fake, I dont care if you use it.

Mr. Mark Cole has entered room. Basil has entered room. Basil(Tue Mar 10 2009 05:12:36 GMT-0400 (Eastern Daylight Time))> You are being transferred to Basil. Basil(Tue Mar 10 2009 05:12:46 GMT-0400 (Eastern Daylight Time))> Welcome to Norton. Is this the first time you are contacting us or do you have a Priority ID? Mr. Mark Cole(Tue Mar 10 2009 08:13:11 GMT-0400 (Eastern Daylight Time))> First time

Basil(Tue Mar 10 2009 05:13:11 GMT-0400 (Eastern Daylight Time))> May I confirm your email address as mark@markcole.net and direct phone number as (310) 201-0161 , am I right? Mr. Mark Cole(Tue Mar 10 2009 08:13:40 GMT-0400 (Eastern Daylight Time))> Yes.

Basil(Tue Mar 10 2009 05:13:37 GMT-0400 (Eastern Daylight Time))> May I know which country you are connected from? Mr. Mark Cole(Tue Mar 10 2009 08:14:00 GMT-0400 (Eastern Daylight Time))> United States

Basil(Tue Mar 10 2009 05:13:55 GMT-0400 (Eastern Daylight Time))> Please provide me your alternate phone number or mobile number for quality assurance. Mr. Mark Cole(Tue Mar 10 2009 08:14:25 GMT-0400 (Eastern Daylight Time))> I do not have any alternate phone numbers.

Basil(Tue Mar 10 2009 05:14:21 GMT-0400 (Eastern Daylight Time))> Please let me know which Symantec product you are using and its version/year. Mr. Mark Cole(Tue Mar 10 2009 08:15:07 GMT-0400 (Eastern Daylight Time))> I am using Norton Antivirus 2009 with Windows XP SP 3

Basil(Tue Mar 10 2009 05:15:06 GMT-0400 (Eastern Daylight Time))> Mark , are you connected from the computer, which is facing this particular issue? Mr. Mark Cole(Tue Mar 10 2009 08:15:31 GMT-0400 (Eastern Daylight Time))> Yes.

Basil(Tue Mar 10 2009 05:15:28 GMT-0400 (Eastern Daylight Time))> Thank You for all the information. I would now create a Priority ID for you. In the meanwhile could you please give me a short description about the issue you are facing on your computer. Mr. Mark Cole(Tue Mar 10 2009 08:16:40 GMT-0400 (Eastern Daylight Time))> I run Norton Antivirus with ZoneAlarm free firewall. Apparently, PIFTS.exe has asked for internet access more than 10 times in the past hour. After some googling I found PIFTS.exe to be a product of Norton.


Basil(Tue Mar 10 2009 05:16:52 GMT-0400 (Eastern Daylight Time))> Thank You for your patience. Your Priority ID is 492001608 . Please make a note of it for future reference. Mr. Mark Cole(Tue Mar 10 2009 08:17:17 GMT-0400 (Eastern Daylight Time))> Ok.

Basil(Tue Mar 10 2009 05:17:18 GMT-0400 (Eastern Daylight Time))> As I understand from your issue, you are getting PIFTS.exe alerts for internet access . Am I correct? Mr. Mark Cole(Tue Mar 10 2009 08:17:42 GMT-0400 (Eastern Daylight Time))> Yes.

Basil(Tue Mar 10 2009 05:18:38 GMT-0400 (Eastern Daylight Time))> Do you suspect any virus infection in your system? Mr. Mark Cole(Tue Mar 10 2009 08:20:11 GMT-0400 (Eastern Daylight Time))> Yes, I am somewhat experienced with computers and I have found this program to access two IP addresses. One in Kirkland, Washington, and one in Washington, DC. Does Symantec have anything in those areas?

Basil(Tue Mar 10 2009 05:20:12 GMT-0400 (Eastern Daylight Time))> We are here to help you. Basil(Tue Mar 10 2009 05:20:26 GMT-0400 (Eastern Daylight Time))> Mark, is your system performing slower than usual? Mr. Mark Cole(Tue Mar 10 2009 08:21:22 GMT-0400 (Eastern Daylight Time))> You didnt answer my previous question. Does symantec have any operations in the areas that this program is trying to access?

Basil(Tue Mar 10 2009 05:21:49 GMT-0400 (Eastern Daylight Time))> No Mark, Norton virus removal queue located in India. Basil(Tue Mar 10 2009 05:21:52 GMT-0400 (Eastern Daylight Time))> Did you observe any suspicious behavior of your computer that indicates a possible infection? Mr. Mark Cole(Tue Mar 10 2009 08:22:47 GMT-0400 (Eastern Daylight Time))> Yes, I noticed this "PIFTS.exe" to access stats.norton.com and it also goes through my internet cache files.

Basil(Tue Mar 10 2009 05:23:13 GMT-0400 (Eastern Daylight Time))> Does your browser gets re directed to web sites like SpyLocked, Virus Protect Pro, Antivirgear, Ultimate Defender, SecurePC Cleaner Etc ? Mr. Mark Cole(Tue Mar 10 2009 08:23:43 GMT-0400 (Eastern Daylight Time))> No, it does not.

Mr. Mark Cole(Tue Mar 10 2009 08:24:35 GMT-0400 (Eastern Daylight Time))> Do you mind if I ask why any thread started in Norton's forums about PIFTS.exe is deleted within 5 minutes? Basil(Tue Mar 10 2009 05:26:39 GMT-0400 (Eastern Daylight Time))> Am sorry Mark. Am not technically trained. These questions are best answered by the Consultant, who are the experts in this field and who would troubleshoot on the computer.

Basil(Tue Mar 10 2009 05:26:48 GMT-0400 (Eastern Daylight Time))> Mark, from the description you gave me we are unable to find any signs of virus or spyware activity on your computer, however we can only confirm this with certainty, on completion of a detailed diagnosis. If you suspect a virus on your system, our expert consultants will diagnose your system, and troubleshoot any virus or spyware/malware if present on your computer. If we find any infection on your system, we would be glad to assist you in removing it. We would connect remotely to your computer and fix the issue. There would be consultation fee for this premium service. Would you like me to go ahead?

Mr. Mark Cole(Tue Mar 10 2009 08:27:55 GMT-0400 (Eastern Daylight Time))> Then may I please speak with a consultant that can help me? Basil(Tue Mar 10 2009 05:27:59 GMT-0400 (Eastern Daylight Time))> The Consultation fee would be US $99.99. We guarantee to identify any threats that may be on your system. Once we have found them, we will remove them. In addition we guarantee our work for a period of 7 days from today.

Basil(Tue Mar 10 2009 05:28:00 GMT-0400 (Eastern Daylight Time))> So shall we proceed with your permission? Mr. Mark Cole(Tue Mar 10 2009 08:30:03 GMT-0400 (Eastern Daylight Time))> No, I want to know why symantec is covering pifts.exe and I refuse to pay money to find that out.

Basil(Tue Mar 10 2009 05:30:04 GMT-0400 (Eastern Daylight Time))> There can be several possible reasons for this:- 1. The infected file is active on your computer; 2. It is sort of "embedded" into your browser (such as an Add-on) or into some other running softwares/applications; 3. The infected has "assumed" system file status/rights and hence it cannot be simply deleted. These are possible reasons, but we can only know the actual reason once a detailed diagnosis is complete. Your Norton software attempts to override these; however it is not always possible, since we need to adhere to various software conventions/standards, some of which could be set by the Operating System. Basil(Tue Mar 10 2009 05:30:08 GMT-0400 (Eastern Daylight Time))> Is there anything else I can help you with?

Mr. Mark Cole(Tue Mar 10 2009 08:32:18 GMT-0400 (Eastern Daylight Time))> Ah yes, thanks for letting me know how PIFTS.exe embeds itself into my browser while it "supposedly" contacts Norton for updates. Does it attach to Internet Explorer, Firefox, or both?

Basil(Tue Mar 10 2009 05:32:57 GMT-0400 (Eastern Daylight Time))> Am sorry Mark , we can not say without diagnose your system. Basil(Tue Mar 10 2009 05:32:58 GMT-0400 (Eastern Daylight Time))> If you need to contact Norton again please visit http://www.symantec.com/vremoval . It has been pleasure assisting you. Thank you for choosing Norton. Have a great day ahead!!

Mr. Mark Cole(Tue Mar 10 2009 08:33:37 GMT-0400 (Eastern Daylight Time))> You too, enjoy infecting your valued customers' computers.

Basil(Tue Mar 10 2009 05:34:17 GMT-0400 (Eastern Daylight Time))> I do understand your concern; however as per our company policy, we can not troubleshoot your system without processing the fee. Basil(Tue Mar 10 2009 05:34:18 GMT-0400 (Eastern Daylight Time))> Thank you for choosing Norton. Have a great day ahead!! Basil(Tue Mar 10 2009 05:34:26 GMT-0400 (Eastern Daylight Time))> Please click on End Session.

Mr. Mark Cole(Tue Mar 10 2009 08:35:13 GMT-0400 (Eastern Daylight Time))> Well how rude. Try to cover up your PIFTS.exe then commanding me to click on something. Mr. Mark Cole(Tue Mar 10 2009 08:35:38 GMT-0400 (Eastern Daylight Time))> How do I know clicking on End Session wont take me to porn sites?

Basil(Tue Mar 10 2009 05:36:51 GMT-0400 (Eastern Daylight Time))> You can see a "End Session" button in the top of the chat window.

Mr. Mark Cole(Tue Mar 10 2009 08:37:53 GMT-0400 (Eastern Daylight Time))> Yes I know that, but considering the recent events of PIFTS.exe Im not sure I can trust this website. Mr. Mark Cole(Tue Mar 10 2009 08:37:57 GMT-0400 (Eastern Daylight Time))> You click it for me.

Basil(Tue Mar 10 2009 05:38:32 GMT-0400 (Eastern Daylight Time))> Alright.

Mr. Mark Cole(Tue Mar 10 2009 08:40:04 GMT-0400 (Eastern Daylight Time))> Have you clicked it yet? Mr. Mark Cole(Tue Mar 10 2009 08:40:07 GMT-0400 (Eastern Daylight Time))> Is it safe? Mr. Mark Cole(Tue Mar 10 2009 08:40:12 GMT-0400 (Eastern Daylight Time))> Or is it a trap?

Basil(Tue Mar 10 2009 05:40:19 GMT-0400 (Eastern Daylight Time))> Yes Mark. You can click, Its safe.

Retrieved from "https://pvwiki.chipmunk.land/index.php?title=Pifts&oldid=6217"