Like cats and mice, security product vendors and cyber-criminals do not care much for each other. Over the past 24 hours, however, cyber-criminals may have just about fallen in love with Symantec, which made a mistake that let crooks launch a flood of malware on the Internet.
It all began when Symantec issued a diagnostic patch, PIFTS.exe, that was not digitally signed. This triggered firewall alerts and queries from puzzled and frightened users to the Symantec forum.
Symantec began deleting posts on the forum, and users began accusing it of censoring free speech and coming up with conspiracy theories.
Censorship? What censorship, asks Mark Parker, senior product manager at antivirus vendor Marshal8e6. “You are told these forums are moderated when you sign up for them,” he told TechNewsWorld.
Spooky – or Not
Was the CIA, the Department of Homeland Security or some other spook organization behind the censorship? Not at all, Randy Abrams, director of technical education at antivirus vendor ESET, told TechNewsWorld. “In the old days when everything was hard copy, you could take 10 or 20 hours to respond to a problem, but today with the Internet, you take one hour and you’re accused of a cover-up.”
Symantec began deleting posts in the Norton Users Forum because they were abusing the forum’s terms of service, Symantec staff member Dave Cole said. “Within the first hour there were 600 new posts on this subject alone,” he said.
Luckily for Symantec, none of the spam had malicious links. “These were nonsensical spam, and we did not sense any malware in them,” Jeff Kyle, group product manager for consumer products at Symantec, told TechNewsWorld.
Nonetheless, it was a nuisance. “There were 4,500 views of that thread in four hours or so,” Kyle said.
However, malware authors lost little time in jumping on this issue. “We’re seeing evidence that Web sites containing malware are showing up in search engine results when people hunt for more information about PIFTS,” Sophos senior consultant Graham Cluley wrote in his blog.
Such incident-related spam attacks are not a new tactic. After Barack Obama won the presidential election, spammers launched a blitz in English and Spanish, sending out e-mails containing links to a Web site containing malware. Similar attacks were launched during the Beijing Olympics and the battle in Gaza earlier last year.
The frightening thing about the PIFTS.exe attacks was the speed with which they were launched. “The spammers were able to react very quickly, posting messages on how to get rid of PIFTS.exe to forums and getting up to the top of Google pages,” Marshal8e6’s Parker said. Clicking on those messages took visitors to a botnet or a malware site.
Antivirus vendors are battling those spam attacks. “We’re feverishly pushing out our ability to block users from getting onto those sites,” Marshal 8e6’s Parker said.
The Root Cause
The real problem Symantec had over the PIFTS.exe issue was one of timing, ESET’s Abrams said. “They could have more quickly explained what’s going on.”
On the other hand, the process of correcting mistakes is slow and tedious. “You have several tech teams working on the problem, you’re a global company and have PR people trying to put things in the proper light across the world, and you have tech people trying to figure out what is the best information to provide people authorized to talk about the issue,” Abrams explained.
“The best you can do is figure out a process that lets you handle the situation as best as you can.”
Oh, and what about PIFTS.exe? Users of some products issued in 2006 and 2007 could not get live updates, and PIFTS.exe was pushed out to resolve that problem.