Symantec Patch Alarms Users, Attracts Malware Spreaders
Earlier this week, security software developer Symantec issued a diagnostic patch for Norton Internet Security and Norton Antivirus, the 2006 and 2007 versions. The patch, entitled “PIFST.exe” (short for Product Information Framework Trouble Shooter), was meant to collect such info as what operating system Norton Antivirus and Norton Internet Security users have running on their machines, but since it was not signed, it was blocked by the users’ firewalls.
This would not have been a problem if the patch would have been able to properly identify itself as originating from Symantec. The user found himself getting a firewall notification asking him if he trusts PIFST.exe; what else was he to do but deny it access, since there was no means of telling if it genuinely originates from Symantec. Looking for answers, a large number of users then turned to Norton forums for answers.
And things only got worse from there on; as people were posting all sorts of speculations on PIFST.exe, Symantec pulled the patch. This lead to further speculation, especially since Symantec deleted some of the posts. Think of it a as a snowball effect that only got bigger and bigger as time went by.
Symantec came out to announce that the unsigned patch was indeed released by them, and the reason it was not signed was due to human error. Regarding the deleted posts, these were apparently the result of a spam attack; the messages were posted by a bot, not a user. Jeff Kyle, group product manager for Symantec consumer products commented:
“One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. There is no conspiracy theory. There's nothing we are hiding at all.”
It has also come to light that malware spreaders are taking advantage of this situation by poisoning search engines – if you search for PIFTS.exe on Google for example, in an attempt to find more info on the matter, some of the search results will lead you to malware spreading sites.
This would not have been a problem if the patch would have been able to properly identify itself as originating from Symantec. The user found himself getting a firewall notification asking him if he trusts PIFST.exe; what else was he to do but deny it access, since there was no means of telling if it genuinely originates from Symantec. Looking for answers, a large number of users then turned to Norton forums for answers.
And things only got worse from there on; as people were posting all sorts of speculations on PIFST.exe, Symantec pulled the patch. This lead to further speculation, especially since Symantec deleted some of the posts. Think of it a as a snowball effect that only got bigger and bigger as time went by.
Symantec came out to announce that the unsigned patch was indeed released by them, and the reason it was not signed was due to human error. Regarding the deleted posts, these were apparently the result of a spam attack; the messages were posted by a bot, not a user. Jeff Kyle, group product manager for Symantec consumer products commented:
“One individual created a new user account and posted about the name of the patch executable, PIFTS.exe. Within minutes, several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone. While the intent of the spammer(s) remains unclear, there were no malicious links and it simply resulted in a widespread communications challenge for Symantec. There is no conspiracy theory. There's nothing we are hiding at all.”
It has also come to light that malware spreaders are taking advantage of this situation by poisoning search engines – if you search for PIFTS.exe on Google for example, in an attempt to find more info on the matter, some of the search results will lead you to malware spreading sites.
