PIFTS

Something is rotten in the state of security.

Users of Symantec's Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn't be news in and of itself, but it seems that Symantec doesn't want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can't turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they've been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn't intended to do any harm.

Nice of them to respond...

But won't they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

"David Cole, senior director of product management at Symantec, said the PIFTS file was part of a 'diagnostics patch' shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7."

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, "hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments."

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like 'hey, how come part of your software wants to access the Internet?'

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn't that have saved everyone a lot of trouble?

Coin Toss

http://tinyurl.com/akvagb

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss - 50/50 chance - that your network is secure.

"The average delay in detection and remediation was 54 days."

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn't in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn't like having your house robbed.

It's like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must - MUST - move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven't the good guys evolved?

The numbers speak for themselves:

"About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware -- even within organizations running up-to-date antimalware tools."

"Antivirus software immediately discovered only 53 percent of malware samples."

"Another 32 percent were found later on, and 15 percent were not detected at all."

Now you may be thinking that 15% doesn't sound like a lot, that maybe that's an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?