Mystery Symantec PIFTS.exe message exploited

By on
Mystery Symantec PIFTS.exe message exploited

Cybercriminals now are capitalising on a benign warning message that was sent to some users of Symantec's Norton anti-virus products.

Cybercriminals now are capitalising on a benign warning message that appeared after an "unsigned" update was sent to some users of Symantec's Norton anti-virus products.

The message -- asking users whether they trusted a file download -- popped up in Norton firewalls when machines received a diagnostic patch called PIFTS.exe from Symantec. The file was distributed for three hours earlier this week to an unknown number of users running Norton's 2006 and 2007 versions, Jeff Kyle, group product manager for Symantec's consumer products, said. But many users, sounding off on blogs and message boards, feared they were being asked to install a malicious file.

It was not, but the incident caused many users to turn to the web for information. Criminals caught on and began poisoning results so that their malicious sites would turn up higher when users searched for PIFTS.exe.

"We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for more information about PIFTS," Graham Cluley, Sophos' senior technolgy consultant, wrote on his blog.

The message pushed out to Norton subscribers is used to collect information for Symantec, Kyle said. It determines whether a user's subscription is up-to-date and what version of the product he or she is using.

"Normally patches such as this would be signed by Symantec," Kyle told "It was human error where this patch got released and was not signed. It raised a firewall alert because that patch was not signed. When the patch asked to be installed, the firewall said there's something trying to gain access to the system. It wasn't signed by Symantec, so it raised the alert."

Users were not harmed, he said.

"If they installed [the executable], they'd be just fine," Kyle said. "If they chose to ignore it and not install it, they'd be just fine."

But, at first, users weren't so sure. The official Norton forum received hundreds of posts on the topic. Again, cybercriminals also joined in -- and many of the posts, sometimes containing vulgar language, contained links to spammer sites, Kyle said. As a result, the company removed many of the posts.

Some users complained on blogs that their legitimate posts also were pulled. Kyle said he regrets this if it happened.

"Our policy is not to remove valid consumer comments and questions," he said. "We don't edit the forum in that manner."

Norton has some 56 million active users, which includes small businesses.

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?