Tuesday, March 10, 2009

PIFTS.EXE: Symantec finally own up

So, the world can rest easy in their beds. A message tucked away on Symantec's forums-- the same forums from which all communication about the issue was previously banned-- in which they have finally owned up to what happened:
  • they released a patch to do some boring things that any old patch might have done
  • but they released the patch unsigned, causing it to hit the firewall when it otherwise wouldn't have done
  • because some of the posts on the Symantec forum were judged to be abusive, all posts were pulled down.
Whilst this seems to be an astonishing example of customer relations, and has brought the world's attention to the kind of behaviour that such patches may be conducting on a routine basis, it does at least appear that the Feds are not about to plunder our computers for illicit chocolate chip cookie recipes. We were spared... this time.

(And yes, I did back up my recipe collection... just in case.)

What is the mysterious PIFTS.EXE?

Update 10/03/09 11:50am Luckily, it does appear that PIFTS.EXE is just a storm in a teacup. Symantec still appear to be saying about as much as the Queen did after Diana died.

So after a mysterious PIFTS.EXE program hits the Kaspersky firewall asking to connect out from one of our machines, I hit the Internet to find that nobody knows, but the world is wondering. According to Google Trends, it has been hovering between the 15th and 25th most frequent search for the last couple of hours. Various theories about PIFTS.EXE appear to be emerging: was it some component of Norton Antivirus that went wrong? Is it some mad terrorist plot to wipe the Internet off the face of the earth and thus prevent people from finding out about why Lil' Kim went to jail?

Update 10/03/09 Reading things so far, and just possibly maybe having had a quick look at a disassembly of the exe in IDAPro, the consensus seems to be that the file is essentially harmless, but was an attempt by Symantec to gather some statistics from users' machines about installed antivirus components. A user posting to Reddit also suggests that a code review of PIFTS.EXE does not reveal anything too nafarious, and that automated code analysers such as ThreatExpert don't pull anything up either (then again, a "well written" virus wouldn't do, would it?).

Sometimes in cases like this, it's not so much whether there is anything wrong but whether there appears to be. Pulling down all forum posts about the file when there is clear user anxiety without then making an official statement doesn't making it look as though everything's hunky-dory...