Mystery Symantec PIFTS.exe message exploited

Cybercriminals now are capitalizing on a benign warning message that appeared after an "unsigned" update was sent to some users of Symantec's Norton anti-virus products.

The message -- asking users whether they trusted a file download -- popped up in Norton firewalls when machines received a diagnostic patch called PIFTS.exe from Symantec. The file was distributed for three hours on Monday evening EST to an unknown number of users running Norton's 2006 and 2007 versions, Jeff Kyle, group product manager for Symantec's consumer products, said. But many users, sounding off on blogs and message boards, feared they were being asked to install a malicious file.

It was not, but the incident caused many users to turn to the web for information. Criminals caught on and began poisoning results so that their malicious sites would turn up higher when users searched for PIFTS.exe.

"We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for more information about PIFTS," Graham Cluley, Sophos' senior technolgy consultant, wrote Tuesday on his blog.

The pushed out to Norton subscribers is used to collect information for Symantec, Kyle said. It determines whether a user's subscription is up-to-date and what version of the product he or she is using.

"Normally patches such as this would be signed by Symantec," Kyle told "It was human error where this patch got released and was not signed. It raised a firewall alert because that patch was not signed. When the patch asked to be installed, the firewall said there's something trying to gain access to the system. It wasn't signed by Symantec, so it raised the alert."

Users were not harmed, he said.

"If they installed [the executable], they'd be just fine," Kyle said. "If they chose to ignore it and not install it, they'd be just fine."

But, at first, users weren't so sure. The official Norton forum received hundreds of posts on the topic. Again, cybercriminals also joined in -- and many of the posts, sometimes containing vulgar language, contained links to spammer sites, Kyle said. As a result, the company removed many of the posts.

Some users complained on blogs that their legitimate posts also were pulled. Kyle said he regrets this if it happened.

"Our policy is not to remove valid consumer comments and questions," he said. "We don't edit the forum in that manner."

Norton has some 56 million active users, which includes small businesses.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.