Users Complain of Mysterious 'PIFTS' Warning

Computer support forums are lighting up with queries from users wondering what to do about an alert on whether to trust a file called "PIFTS.exe". Meanwhile, someone at Symantec's support forum seems to be deleting posts from users inquiring about this alert almost as soon as they go up on the forum.

Swa Frantzen, an incident handler with the SANS Internet Storm Center, writes today that PIFTS.exe appears to be related to a Norton update since it has a has a component in it that leverages the user's Internet connection to contact a Web page at norton.com, which is owned and operated by Symantec.

A Security Fix reader sent this e-mail today about his experience with this alert: "Symantec's response has been odd. It has removed all chat threads on the subject, and seems to be deleting questions about PIFTS.exe wherever they may be posted. In short, it is Symantec's response which has caused greater questions than the problem that it seems to be trying to cover up. I am no expert, and I simply went online to get an explanation. However, it now looks as though thousands of queries at the Norton chat forum were posted today and all have been deleted without comment."

Also, it appears that PIFTS.exe is being submitted quite a bit to VirusTotal.com, a free service that people can use to scan suspicious files against more than three dozen different anti-virus products. ThreatExpert also has a writeup that confirms that this file phones home to Symantec.

I've put in queries to Symantec, and will update this post when I hear back. In the meantime, it's probably safest just to deny this program access to the Internet if prompted by Norton or any other firewall product you use.

Update, 12:46 p.m. ET: The bad guys know that people are interested in this search term, and appear to have latched on to it already. I'd advise readers to be extremely careful about randomly clicking on every link returned in a Web search for "pifts.exe": Some of the top searches (currently the 3rd and 4th result in a Google search) are Web sites that try to install malicious software when you visit them. Both results take you to sites that use Javascript attacks to try and foist rogue antivirus products (ah, the irony).

Update, 2:23 p.m. ET: Dave Cole, senior director of product management at Symantec, said the PIFTS file was part of a "diagnostics patch" shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.

"We have to make sure before we migrate users to a new product that we can see what kind of load we can expect on our servers, and which customers are going to have to be moved up to the latest version of our product," Cole said.

As to why Symantec has been deleting posts about this from their user forum, Cole said the company noticed that minutes after the update went out hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.

"We want to be out there in the community, but by the same token, if we see abuse we will shut it down pretty quickly," Cole said. "There was no attempt at secrecy here, but people were spamming the forum and making it unusable to everyone."

In Symantec's defense, when I first heard about this earlier this morning, I noted privately to a couple of folks that some of the comments being left on the Symantec forum bore many of the hallmarks of "4Chan," (a.k.a. "anonymous"), a virtual community that thrives on playing practical jokes and causing trouble online. The summary about this incident posted to News-for-nerds site Slashdot this morning links to a key 4Chan forum.

Update, 5:24 p.m. ET: Symantec's official statement on this is here.