Malware

Experienced computer users know that any time your firewall software decides to flag a program, it’s worth double-checking before you let it go ahead. Indeed that’s arguably the key function of a firewall. But what if the program being named as suspect purports to be part of your security software?

Users of Symantec’s Norton Internet Security and Norton Antivirus found themselves in that position in early March this year when an update patch called PIFTS.exe was sent out as part of its regular stream of updates. Unfortunately, owing to human error, the patch was sent out without being ‘signed’ – the process that confirms the software really was developed by Symantec and can be trusted. Unsurprisingly, that led to widespread user confusion.

Symantec withdrew the patch after three hours, and issued an apology on its blog. “Releasing a patch unsigned is an extremely rare occurrence that does not pose any security issues to our users,” the company said. However, that didn’t prove to be the end of the story. As is often the case with security issues, one single problem (accidentally sending out an incorrectly configured file in this instance) mushroomed in several unexpected directions.

Symantec’s user forums, which had been one of the first areas where the PIFTS.exe problem was widely reported, were attacked by an unidentified individual. “One individual created a new user account and posted about the names of the patch executable, PIFTS.exe,” Symantec explained. “Within minutes several dozen user accounts were created commenting on the initial thread, and/or creating new threads on the topic. Over the next few hours, over 200 user accounts were created. Within the first hour there were 600 new posts on this subject alone.”

As a result, Symantec deleted the relevant posts, claiming they violated its terms of service. While that might seem like a reasonable response, it led to widespread speculation online that the company had something to hide and that it might have been deliberately distributing the PIFTS.exe file for unspecified nefarious purposes.

One possible reason for the attack might have been to increase the visibility of the reporting about the attack. Several sites purporting to contain information about PIFTS.exe  – and ranking highly on Google searches for that term – actually were set up purely in an attempt to distribute other malicious code. As I often see, ‘drive-by’ distribution via sites is now a major source of concern, and it seems developers of such malware are happy to use any means to attract traffic.

What lessons can be learned? Firstly, that you should always take firewall warnings seriously, because even virus companies aren’t perfect. Secondly, if you encounter reports of a security problem, don’t rely on a simple Google search to try and find information without a solid sense of caution.

(more…)