Whats all fuss about PIFTS.exe?

March 9 was interesting and chaotic day for the  people using Norton Antivirus as they started getting alerts about some binary named PIFTS.exe is trying to reach Internet. When analyzed, people found its traces in Norton Antivirus. This was weired. How does Norton alerting for its own applications? It looked suspicious and people started asking questions on Norton Support Forum. Interestingly, Norton deleted all the questions forum posts regarding this incident which raised suspiciousness towards PIFTS.exe and chaos started.

When analyzed, some following results came out.

1. Binaray is not packed or encrypted in any way.
2. Its around 100 KB in size
3. It tries to make  an outbound connection to http://stats.norton.com using UserAgent: PATCH021809DB
4. When allowed to reach internet, it tries to reach http://stats.norton.com/n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 which
   resolves to 67.134.208.160
5. A quick DNS and whois lookup showed above IP is registered to Swapdrive in Washington.
6. Googling about Swapdrive showed Swapdrive is part of Symantec.
7. Both VirusTotal and ThreatExpert gave PIFTS.exe clean chit.

All this lead to a big chaos and people started raising Questions like Why its connecting to stats.norton.com? Did Norton get Compromised? etc etc  Some  conclusion out of above results also came up like Norton is stealing personal information from host machines or Norton is trying to cover up some past unknown issues etc etc.   All these concluding discussions got more prominent when Norton Support Forum starts deleting all the queries about the so called culprit/fishy application. Finally on 10th March, Symantec spoke about the whole fuss. Heres what Symantec commented.

“Symantec released a diagnostic patch “PIFTS.exe” targeting Norton Internet Security and Norton Antivirus 2006 & 2007 users on March 9, 2009.
In a case of human error, the patch was released by Symantec “unsigned”, which caused the firewall user prompt for this file to access the Internet.”

Symantec also clarified the reason behind deleting all the posts about PIFTS.exe claiming they received spam from 600+ newly created users.These spam forum posts contained no text in the body of the message, simply a subject:

• O LAWD IM CHOKIN ON PIFTS PLZ HALP
• OH GOD YOU GOT CHOCOLATE IN MY PIFTS
• If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
• IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
• PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
• I LOVE MY PIFTS.EXE

Internet savvy people as usual started googling about this incident and trying to digg deeper. Some hackers took advantage of this plot and planted Malwares on web sites mentioning about the incident. Once you visit such sites, malware automatically gets downloaded on your system.
I hope Symatec has cleared the chaos  and people are now aware of the root cause. With all those happened I wonder How can Symantec QA miss this basic test case of checking signatures on all the released patches?

Lets hope Symantec human error do not miss test case of validating virus Singatures

References:

1. ThreaExpert Automated Analysis
2. Virustotal Analysis
3. Norton Support Community Response
4. Whois Query Result
5. Snip from Strings.

    d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
    http://stats.norton.com/n/p?module=2667
    SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\HbEngine
    SOFTWARE\Symantec\PIF\{96E26A03-A25A-400b-B9B4-564C9BD00F46}
    The ping url is %s
    PATCH021809DB
    Norton Internet Security
    NCOAlert.dll
    NTPAlert.dll
    NAV
    NavUI.dll
    NavProd.dll
    Norton SystemWorks
    NSWAlert.dll
    NSWCfg.dll
    PollMgr.dll
    PifEng.dll