PANIC AT SYMANTEC

SYMANTEC: "There is no conspiracy theory. We were under attack by a robot."

After being unable to silence their customers on their forums inquiring about Symantec's mysterious PIFTS.exe file Monday night, Symantec has moved on to their Plan B: lie and obfuscate. Releasing a statement Tuesday on their forums, Symantec explained that their customers were incorrect in thinking there was a mass effort to delete all their posts inquiring about PIFTS.exe, because it was in fact a mass effort by Symantec to delete posts by spammers with "unclear" intentions inquiring about PIFTS.exe.

"There is no conspiracy theory. There's nothing we are hiding at all," says Jeff Kyle, group product manager for Symantec consumer products. "Within the first hour there were like 600 posts to that thread. Obviously it was a bot creating this."

Currently, representatives of the company are repeating that the first post referencing PIFTS.exe was made by a spambot, despite being unable to explain how and why a spambot can be the first to be aware of and mention this obscure file on the forums at the exact same time Symantec's staff realized their mistake and were pulling the file from distribution. Witnesses who saw the initial deleted post are having the hardest time accepting Symantec staff's explanation.

(Photo of the culprit courtesy Symantec's Public Relations Dept.)

OFFICIAL PIFTS MERCHANDISE

http://www.cafepress.com/pifts

UPDATE (13:46 11 March 2009): Cafepress.com is suppressing the sale of these shirts!

DIGG BURIES PIFTS.EXE STORY

Digg.com, a popular social news website in which news stories are voted up or down by users and are placed on the front page according to popularity is keeping the top-voted story regarding Symantec's suppression of inquiries about PIFTS.exe hidden. Digg user Janjko says:

This story is flagged, just when it hit 200 Diggs it disappeared from the upcoming stories with most diggs, Digg doesn't want it on it's front page. http://digg.com/news/software/upcoming/most

Currently the story has 269 "diggs" (or votes up) and counting.

UPDATE (13:20 10 March 2009): The original story with over 300 diggs is no longer showing up in a search for "PIFTS.exe" on digg.com anymore. Lower rated stories still show up but are being systematically removed as this is being written. Screenshots of digg.com:

Original story
Search for "PIFTS.exe

UPDATE (13:20 10 March 2009): The story about the Digg cover up of the PIFTS.exe cover up has reached Digg itself: http://digg.com/tech_news/Digg_covers_up_Symantec_s_cover_up

UPDATE (14:55 10 March 2009): If PIFTS.exe is related to the FBI's Magic Lantern software, it would not be surprising if Digg was pressured to squelch this.

UPDATE (03:59 31 March 2009): The story in question was the fifth most popular story on Digg that day.

PIFTS.EXE

There is virtually no information on the internet yet regarding a mysterious program called PIFTS.exe, aside from what's posted on this blog. Symantec, makers of the bloated Norton Anti-Virus software, are deleting any mention of PIFTS.exe from their community forums. The topic is being discussed at forums.zonealarm.org.


UPDATE (02:36 10 March 2009): A google search for PIFTS.exe turns up a link to www.kanzlei.biz/uploads/tf/index.php?family-guy-season-7-episode-8/, a nefarious looking website that I suggest you not go to unless you know what you are doing. The site contains javascript which may be malicious. Here's a screen capture from one of the pages on that site.


UPDATE (03:56 10 March 2009): In our comments, thepipermethod says the kanzlei.biz website is just mirroring key words from google trends, which at this time includes the terms "PIFTS" and "EXE" and that the site has no other relation to PIFTS.exe. At zonealarm.org, one person reports talking with various representatives of Symantec for two hours without receiving any answer as to why inquiries posted on the Symantec forums were being deleted. The caller was told that PIFTS.exe is part of Symantec's update installation process, was denied any further information regarding the purpose of the file and was repeatedly transferred to a new representative when asking why inquiries about PIFTS.exe were being deleted from Symantec's forums.


UPDATE (10:42 10 March 2009): There is speculation that this is part of the FBI's secret Magic Lantern software. From Wikipedia:

Symantec, the makers of Norton AntiVirus and related products, is reportedly working with the FBI on ways to preclude their products from detecting Magic Lantern. Eric Chien, a top researcher at Symantec, emphasized the ability to detect "modified versions."

Some people are reporting that the Norton forums have been taken offline. There is no information posted anywhere yet regarding what this program does.

UPDATE (11:10 10 March 2009): It's being said that PIFTS.exe contacts an IP address in Africa.


UPDATE (11:50 10 March 2009): This site has links to copies of the PIFTS.exe file which you can download. I can not vouch whether the files are authentic or not. There is contradictory information about what actual IP address the program is contacting.

UPDATE (12:02 10 March 2009): Apparently digg.com is also covering this story up. 242 diggs and it's not on the front page. There's a good discussion of this on slashdot.org, a web 2.0 social networking site for techies. The Washington Post and The Register are covering this as well.


UPDATE (14:45 10 March 2009): More details on Digg's cover up of the PIFTS.exe story here. The coordinated opposition to this story tells us that we are on the right track.


UPDATE (16:22 10 March 2009): Symantec has finally issued a statement on PIFTS.exe. Symantec claims that it was just a patch to their software that was accidentally released "unsigned." The company also alleges that inquiries regarding the matter on their forums were deleted because many people made posts about it:

One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec.

It is interesting that there is no accounting for why the first post was deleted along with every single other mention of the issue. It is also worth noting that Symantec refers those customers of theirs who promptly wanted to know what this "unsigned" piece of software was as "spammer(s)" whose intent "remains unclear."