back to article Online attackers feed off Norton forum purge

Quick-moving attackers took advantage of a glitch in an update for Symantec anti-virus software, using an information vacuum that followed as an opportunity to lure panic-stricken users to websites that tried to install malware on their computers. The glitch began around 4:30 pm California time on Monday, when Symantec …


This topic is closed for new posts.
  1. Paul


    "A single well-placed post from a Symantec official would likely have nipped most of it in the bud"

    Just what I was thinking. All the had to do (assuming they really are on the level) is put a pinned thread at the top of the forum. Something like "We are aware of pifts.exe error, and are working to correct the problem. In the mean time, rest assured that It does not pose a security risk."

    Would that be so hard?

  2. This post has been deleted by its author

  3. Ron Haworth

    Norton fails again

    This is why I hate Norton products. The malware miscreats obviously had that version installed on a machine as they probably have machines running every other known anti-virus product out there. Again Norton fails to stop the rigged web pages from infecting the hapless visitors to their site. I have seen and worked on more PC's running Norton products that were infected with garbage than I can count. Aaarrgh.

  4. Anonymous Coward

    Symantec do something logical?

    You have got to be kidding!? To be serious for just a moment, Symantec hasn't been world renowned for exceptional (or even acceptable) communications or support in situations like this. And as long as they’ve been pushing out digitally signed signatures, they “simply forget”? Yeah, something doesn’t pass the smell test…

    Once again I assert that they have become the “Microsoft” of the AV industry, as they’ve gotten to big to really give a crap about quality products.

  5. kevin biswas

    Norton IS a virus !

    Well done Norton, another coup from the worlds most irritating antivirus provider. By some definitions Norton 'Antivirus' IS a virus. Why ? I hear you ask............

    1)It is often installed WITHOUT explicit permission from users (pre-installed bloatware) and will then try to trick users into handing over credit card details when the trial has expired.

    2)It SERIOUSLY degrades system performance (As an aside, I once found a machine with a 30gb norton quarantine folder...some malware unpacker thing which norton couldn't detect was dutifully unpacking malware for months which norton continuously detected and quarantined)

    3)It tries to prevent itself from being legitimately uninstalled

    4)It deletes valuable files without asking first (many hack / repair tools give false positives which norton may delete without asking)

    And why do many lusers still think norton is a Good Thing ? seems they had one decent product from back in 1994 or somesuch which made them a good name which still endures. Norton are clearly the AOL of antivirus solutions.


  6. Angus
    Thumb Down

    Surely this can't be right..

    "Kyle said that the forum is run by Symantec employees in what amounts to their spare time"

    A support forum run by Symantec employees in their spare time.. WTF???

  7. Anonymous Coward
    Thumb Down

    No surprise

    This is why I stopped using them years ago, they're not very good are they? Using a three leaf clover probably does a better job!

  8. Hrishikesh

    @Norton IS a virus

    There is one thing that distinguishes Norton AV from viruses -- viruses are small, fast, efficient, they don't get in your way (for the most part), and their code is a work of art.

  9. Mike

    Norton really is a virus

    Typical Norton bullcrap. I agree, Norton is a virus. It often does irreparable damage to your system when you uninstall it, too. I've had it permanently damage some Windows features.

  10. Trygve Henriksen

    The first time I heard about Norton AV...

    Was when an English PC rag sent a reporter to an expo where they were demonstrating the first version.

    Symantec had announced in newspapers that concerned citizens could stop by their booth with diskettes and have them checked...

    So the reporter went there with a couple of diskettes completely loaded with all kinds of crap, to test the product properly.

    Norton AV didn't find a single virus!

    And when pressed, one of the guys manning the booth admitted that they were using an unfinished version which couldn't find anything at all. It just looked nice.

    They had then stood there the whole day, testing diskettes and sending people home in the belief that their diskettes were OK...

    I've long since lost the magazine, so I can't quote accurately.

  11. Anonymous Coward
    Anonymous Coward

    Those "nonsensical messages" were nothing to do with malware

    just the usual suspects performing a forum raid for their own entertainment. Yes, pifts.exe is already a 4chan meme

  12. Sceptical Bastard

    The best advice...

    ... is to treat Norton as the pariah of the AV world. Mind you, IMO, most AV software is unnecessary and - often - counter-productive.

  13. Wayland Sothcott Bronze badge

    Installing Norton is like a target on your back.

    It's like giving the Israeli army the coordinates of your schools and hospitals.

    The less well known your anti-virus the less likely the virus writers have tested the virius on it.

    Think of this, if you develop your virus on a virus protected computer then as soon as you've got a live one it will escape into the world. Darwin's survival of the fittest.

  14. Anonymous Coward
    Anonymous Coward

    rewriting history

    "Jeff Kyle, group manager for consumer products at Symantec, said posts were only deleted after the forum was flooded with more than 600 nonsensical messages"

    Tosh. The deletion of the posts (reasonable, genuine queries, from customers) preceeded the 4chan attack by about 12 hours. Kyle is talking out of his arse.

  15. phil mcracken
    Paris Hilton

    put the AV down....

    I bought systemworks a few years ago on discount just for a deaks. I used to have utilities 3.0 and it was pretty good.

    The AV was utter gash - I went and replaced it with AVG straight away.

    Only thing worth buying from them is Utilities and possibly GoBack for the kiddies PC. Cleansweep is horrific and bloated for what it does, their AV is even worse.

    Paris, because she likes malicious packages.

  16. Scott Evil
    Paris Hilton


    I used Symantec years ago, it was crap then and it is most certainly crap now. I imagine 90% of thier users started out with a trial pre installed on their OEM Pc and they dont know any better and re subscribe eac h year.

    Years ago i used to work for the DSGI group, we were at a software conference at the London Hilton and one of the last(thankfully) presentations we had was hosted by Symantec. They talked about the usual boring presentation nonsense,and how we must all choose Symantec. They showed us the famous Super7 application and what it could read and scan and pilfer from peoples computers and other dazzling powerpoint slides. At the end we were asked of we had any questions.

    I raised my hand and asked "What came first,the anti virus or the virus?"

    They had no comment.

    I use Kaspersky these days,seems good and keeping my pc free from harm(i hope) but since the 2009 edition my pc is unsuable when it does a system scan :(

    Whats the best AV for performance through and through?

    it seems like as soon as they become popular they get worse in performance.

    Damn it!

    Paris coz id simply love to smash the grannies outta that!

  17. John

    Symantec excuse isn't really accurate...

    Someone posted asking about pifts.exe, the thread then grew to a couple pages of other people basically saying they had recieved the warning message and asking what it was, all fairly normal and typical..

    Symantec then deleted the thread.....

    Then people who had posted orginally started making new threads, asking about pifts.exe and why had Symantec deleted a thread asking about, things got worse... /B/chan or whatever they are called then got wind of it and started 'raiding' the forum..

    The question though is why did Symantec delete the original question asking what pifts.exe was that had caused the alert message... Once they did that of course everyone grew suspicious. Lots and lots of people have sworn off Norton over this, which isn't a bad thing in itself.. Its a hell of an own goal for Symantec, talk about shooting yourself in the foot.

  18. The BigYin

    Hmmm.....I have Norton

    Came with the PC, 3 year license as part of the bundle. Not caused me too much grief I mjust say, but then I have a beefy system that can probably handle the load (running MCE, VirtualBox and a Norton AV scan is possible). The only thing that winds me up is the "fluff" in the UI. Takes far too many clicks to get at a panel that allows proper control.

    Anyhoo, I will be looking for pifts when I get home. And Norton's days are numbered. Once the agreement runs out it will get replaced with Comodo and AVG (or something similar). Or I'll just flatten the PC, go Linux and simply ignore the viruses.

  19. yossarianuk

    Whats norton again ? Isn't it something from the past ?

    I remember Norton - its that old program that I used to run in the olden days, when I used a really stupid OS that could easily get virus's .

    Thank god things have moved on.

  20. Anonymous Coward

    Still waiting...

    for the explanation about why the file was in a hidden folder, ala rootkitware.

    Something's not quite right here. Symantec installs a hidden, silent app that collects data about what's installed on your machine and then sends it back to Symantec for "diagnostic" purposes. And the only reason we know about it is because they screwed up. Explanations are due.

  21. Kai Lockwood
    Thumb Down

    Free advertising...


    Jeez, you can make this any easier.

  22. Colin Millar

    A leading web security firm?

    thinks that 600 nonsensical messages equals a bot attack?

    and doesn't know how to use a sticky on a forum.

    Symantec does have a way of forcing people who don't use its products to be overcome with smugness.

  23. Anonymous Coward
    Anonymous Coward

    and The Register accepts no responsibility..

    for laughably suggesting pifts.exe might be part of some rootkit shenanigans thus fanning the hysteria.

    Pat on the back chaps for your Stalinesque new view of the affair.

  24. Anonymous Coward

    All Lies

    The 4chan raid started as a result of the symantic forum mods deleting perfectly valid questions many hours before. This has already been mentioned.

    What is more important is what pifts.exe actually is. It hides itself in a folder not viewable by normal users or administrators. The only way to get to the folder is to start explorer as SYSTEM by whatever tricks you wish...sounds pretty rootkitish to me.

    Also it goes through all your web browsing history, interfaces with google desktop, modifies non-tempory files and then sends it to an IP address located in washington that resolves to a service called "Washington Swap Drive".

    Symantic are lying out of their backsides, and the official response about an unsigned update was only issued after a long time of politician like evading of the question.

    It has been speculated that it is part of the "Magic Lantern" software that symantic are known to agree with the FBI to not detect (See wikipedia, it's all there). I wouldn't want to comment on that. I do know that after the binary was deconstructed it contained a lot of "PADDINGX PADDINGX" etc...that sounds like a familiar technique eh?

    But don't believe me, Anubis decompiled it here;

    Symantic are lying. The way they handled this was incredibly Orwellian. Something is not right. Don't forget this.

  25. Leo Davidson

    @All lies: PADDINGX is not suspicious

    "I do know that after the binary was deconstructed it contained a lot of "PADDINGX PADDINGX" etc...that sounds like a familiar technique eh?"

    Yes, familiar in that it's something that Visual Studio seems to add to exes it produces as padding after the manifest resource (in case the XML grows in size, I guess).

    Familiar in that it's a string I can find in 641 executables on my computer, including ones I've built myself.

    I don't know about your other claims but that one sounds like FUD to me, whether intentional or not.

    Symantec addressed the "Swap Drive" IP by saying it was a company they bought a few years ago, FWIW. They could be lying but I imagine it's fairly easy to find out who the company is if you are suspicious of that.

  26. Anonymous Coward
    Thumb Up


    Ok, I could maybe excuse the padding thing, but the rest is still unexplainable.

    Oh it's been sent to a company they own, all that info taken without your knowlede or consent?

    That's fine then!

  27. b166er

    This sounds far too convenient

    an explanation to me. Blame the problem on the very people they proclaim to protect us from.

    Did they even get round to explaining what 'pifts' does?

  28. LouisARE

    If You're Looking For Information

    Hello everyone -- I work for Symantec's public relations firm, Edelman. Just wanted to quickly point out that if you want more information on the PIFTS issue, you can go to Symantec's user forum at

    Louis Cheng

    Edelman Public Relations

  29. Anonymous Coward
    Anonymous Coward

    I have become Norton, the Destroyer of posts!

    I hate Norton, I find it an invasive bloatware product that slow down your pc and gets in the way.

    I personally use Avira, its free and is constantly updated, uses up hardly any system resources and only shows it self when something bad is attacking my pc.

  30. EJ
    Thumb Down

    "nonsensical messages"

    Hey lemmings, keep pouring your hard-earned cash into Symantec's product line. They respect you... really.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020