Unsigned Update from Symantec Leads to Spam

Symantec said on March 10, 2009 that a security patch the company released without signing had been exploited to unleash a spam campaign that provided wrong information about the security firm.

The problem started on March 9, 2009 when engineers at Symantec inadvertently distributed an update for earlier versions of the Norton anti-virus software that lacked a digital signature. Soon Symantec customers started getting threatening pop-ups on their PCs showing error messages. This prompted the anxious consumers to contact the firm's support forum in the hope of receiving the official authorization about a file named pifts.exe (PIFTS standing for Product Information Framework Troubleshooter), which was discussed in the warnings.

Surprisingly, the company's website showed no message regarding the problem. Even worse was that whenever a consumer inquired about the warnings through a post, it was promptly removed.

According to Graham Cluley, Senior Technology Consultant, Sophos, he found that websites infused with malicious software appeared among the search engine hits when surfers looked for additional details about PIFTS, as reported by SCMAGAZINE on March 10, 2009. Evidently, this happened only because the published update was not signed.

Moreover, Sophos was already identifying a few of these website such as Mal/BadRef-A that diverts users toward another malicious code that in turn diverts them to another web page named Mal/FakeAvJs-A, as per the reports. This second page results in a bogus antivirus scan scaring computer users into paying for the bogus antivirus (forcing them to purchase the AV).

Commenting on the series of diversions occurring, Cluley said that the bogus antivirus scan is related neither to the PIFTS.exe file nor to Symantec. He said that hackers were simply taking advantage of people's interest in the file to generate more visitors for their malicious websites.

In fact, security specialists from various security vendors said that the happening of the incident was unfortunate at the very outset. According to them, had Symantec posted a well-placed statement regarding the unsigned update, the general confusion leading to the social engineering attack purportedly from Symantec would have been largely averted.

» SPAMfighter News - 3/18/2009