An unsigned component called pifts.exe that was pushed by Symantec to its customers created quite a stir on the Internet yesterday, even raising several conspiracy theories. The malware distributors did not miss the chance to target the massive amount of users searching for information about the curious file and injected malicious links into the results.
It all began when many Symantec customers started receiving warnings from their firewalls that an application named pifts.exe was trying to access the Internet. According to the alerts, the file was supposed to be stored in a subdirectory of the Symantec LiveUpdate folder that didn't even exist.
Since this behavior was consistent with the presence of a rootkit component, the users jumped on the Symantec forums only to find that the posts they were creating were subsequently being deleted. This sparked controversy amongst bloggers and security professionals. Why would Symantec delete reports about this file? What was it trying to hide? everyone asked.
Furthermore, some of the initial analyses of the file claimed that pifts.exe collected information from the system and attempted to send it to a Symantec-controlled server located in Africa. Such news caused some individuals to go overboard and suggest far-fetched conspiracy theories, such as the security company installing spyware on behalf of the U.S. government.
Symantec eventually released an official statement, explaining that pifts.exe stood for Product Information Framework Troubleshooter (PIFTS), which was designed to gather information about Symantec products on systems in order to troubleshoot issues with the LiveUpdate component that some customers were experiencing. The company also explained that the threads on its support forums were deleted, as they were being abused by spammers.
"Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts," a spokesperson wrote. He also explained that "In a case of human error, the patch was released by Symantec 'unsigned,' which caused the firewall user prompt for this file to access the Internet. […] Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users."
The release of the patch might not have been dangerous, but the fuss it created was. Graham Cluley, senior technology consulant at Sophos, advised at the time to "be very careful when you search on the Internet for information about PIFTS." As he pinpointed, "We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for more information about PIFTS."