Symantec Update

(an excerpt from a recent web news article)

Late yesterday evening, Symantec released an unsigned patch containing the file 'PIFTS.EXE'. Because the file was unsigned, it caused firewall alerts in Norton Internet Security and Norton Antivirus when the file attempted to access the Internet. It's not yet been revealed exactly what the purpose of the file was, but it's actions were to create a URL consisting of version information for certain Norton products. But though the actions of the file were pretty benign, reactions from users were anything but calm. Instead, spammers immediately began flooding Symantec forums, theory crafting many evil scenarios, leaving nonsense posts, and generally creating havoc. That led to Symantec deleting the threads, which in turn led to even more conspiracy theories and finger pointing.

malware distributors were quick to pick up on the controversy and immediately began seeding malware through search engines by posting links to malicious files using the keyword 'PIFTS.EXE'. Be wary of any update file with this name.

Symantec Released the following statement:

"Symantec released a diagnostic patch "PIFTS.exe" targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009. This patch was released for approximately 3 hours (4:30 - 7:40 PM March 9, 2009 Pacific Time). In a case of human error, the patch was released by Symantec "unsigned", which caused the firewall user prompt for this file to access the Internet. The firewall alert for the patch caused understandable concern for users and began to be reported back to Symantec. Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users. The patch reached a limited number of Norton customers and has subsequently been pulled from further distribution. Norton users are fully protected and do not need to take any action as a result of this issue.

There has been activity in the Norton User Forum related to PIFTS.exe which has generated additional concern and media speculation. At approximately 10:30pmET Monday March 9, Symantec detected that our User Forum boards were being abused by an individual or individuals. One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. Below are some examples of the forum spam we received from these new user accounts.

Symantec strictly adheres to its Norton Community Terms of Service and does not delete postings unless they are in violation of these guidelines. Upon determining that our User Forums were being abused, Symantec began removing the spam posts.

Finally, it has also been reported by the Washington Post that hackers are taking advantage of this situation. "Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them." When searching for information on "pifts.exe," Symantec strongly advises all users to be wary of following links to unknown sites as malicious users are attempting to use this hot topic to distribute malware."