Magic Lantern is keystroke logging software developed by the United States' Federal Bureau of Investigation. Magic Lantern was first reported in a column by Bob Sullivan of MSNBC on 20 November 2001[1] and by Ted Bridis of the Associated Press.[2]


How it works

Magic Lantern can reportedly be installed remotely, via an e-mail attachment or by exploiting common operating system vulnerabilities, unlike previous keystroke logger programs used by the FBI.[3][4] It has been variously described as a virus and a Trojan horse. It is not known how the program might store or communicate the recorded keystrokes.


Antivirus Vendor Cooperation

The public disclosure of the existence of Magic Lantern sparked a debate as to whether anti-virus companies could or should detect the FBI's keystroke logger.

[edit] Network Associates, McAfee products

Birdis reported that at least some anti-virus companies, including Network Associates (maker of McAfee anti-virus products), had contacted the FBI following the press reports about Magic Lantern to ensure their anti-virus software would not detect the program.[6]

Network Associates issued a statement denying cooperation with U.S. legal authorities within a week, fueling speculation as to which anti-virus products might or might not detect government trojans.[7] CNET News has surveyed 13 security companies about their contacts with and level of cooperation with law enforcement authorities.[8]

[edit] Symantec

The FBI confirmed the active development of Magic Lantern, a keylogger intended to obtain passwords to encrypted e-mail as part of a criminal investigation. Magic Lantern was first reported in the media by Bob Sullivan of MSNBC on 20 November 2001 and by Ted Bridis of the Associated Press.[9][10] The FBI intends to deploy Magic Lantern in the form of an e-mail attachment. When the attachment is opened, it installs a trojan horse on the suspect's computer. The trojan horse is activated when the suspect uses PGP encryption, often used to increase the security of sent e-mail messages. When activated, the trojan horse will log the PGP password, which allows the FBI to decrypt user communications.[11][12] Symantec and other major antivirus vendors have whitelisted Magic Lantern, rendering their antivirus products, including Norton Internet Security, incapable of detecting Magic Lantern. Concerns include uncertainties about Magic Lantern's full potential and whether hackers could subvert it for purposes outside the jurisdiction of the law.[13][14]

Graham Cluley, a technology consultant from Sophos, said "We have no way of knowing if it was written by the FBI, and even if we did, we wouldn’t know whether it was being used by the FBI or if it had been commandeered by a third party".[15] Another reaction from this came from Marc Maiffret, chief technology officer and cofounder of eEye Digital Security who states: "Our customers are paying us for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not, and will not, make any exceptions for law enforcement malware or other tools."[16]

FBI spokesman Paul Bresson, in response if Magic Lantern needed a court order to deploy, "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal process."[17][18] Proponents of Magic Lantern argue the technology would allow law enforcement to efficiently and quickly decrypt messages protected by encryption schemes. Implementing Magic Lantern does not require physical access to a suspect's computer, unlike Carnivore, a predecessor to Magic Lantern, since physical access to a computer would require a court order.[19]

The mysterious Norton cover-up and pifts.exe

Apparently something big is happening. A mysterious program known as pifts.exe is attempting to contact a server in Africa and seems to be associated with Symantec's anti-virus system, Norton. There is virtually no information on the internet regarding pifts.exe, aside from this blog [9] and threads such as these [10]. Symantec are supposedly deleting any mention of pifts.exe from their community forums and so users have moved to ZoneAlarm's Forums [11].



On ZoneAlarm's forums, one person reports [12] talking with various representatives of Symantec for two hours without receiving any answer as to why inquiries posted on the Symantec forums were being deleted. The caller was told that pifts.exe is part of Symantec's update installation process, was denied any further information regarding the purpose of the file and was repeatedly transferred to a new representative when asking why inquiries about pifts.exe were being deleted from Symantec's forums.

March 10, 2009 (16:15): SANS Internet Storm Center [1] says they had a phone conversation with a Symantec employee confirming that the program is theirs; they said it is part of the update process which is not intended to do harm. However, Norton still hasn't explained why they are seemingly covering their tracks. March 10, 2009 (15:41):According to Encyclopaedia Dramatica [2], this could be part of a the so-called "Magic Lantern" [3] software by the FBI - though this is a little far-fetched as the executable was not directed at the States, but Norton users in general. However, Wikipedia does supply evidence to this theory.


March 10, 2009 (19:55):Finally Symantec have released a statement as to what this whole thing is about; apparently it was a "diagnostic patch" and was released unsigned, which meant that firewalls would pick-up on it attempting to access the internet. They say that they were forced to delete the threads on their forum due to the sheer number of them. However, this still doesn't make a great deal of sense, the first post that was created was legitimate and sensibly questioned the executable file. This thread was removed. More were created and they too met the same fate. That is where 4chan stepped in and - being their usual, helpful self - spammed the forums asking for answers. The point still stands: it took Symantec a whole day and an article on the frontpage of Reddit to answer the ultimate question: "what is pifts.exe". This post reached number 1 on Reddit, has scored some 10,000 views and has sky-rocketed the number of visitors to this site.

March 10, 2009 (17:26):The Register now has an article on this. Law enforcement backdoors and hoaxes gone wrong are amongst the main conspiracy theories. All we really want is an official report from Symantec to clear up the issue; it doesn't seem so strange anymore, just a little bewildering.

March 10, 2009 (15:22): Norton forums are now officially in maintenance mode. There is still no word from Norton as to what pifts.exe is.

March 10, 2009 (15:04): It's now hit the press (oh and the fan too). The Washington Post [4] and The Inquirer [5] both report it.

March 10, 2009 (14:35): Norton's community forums [6] kept going down and were at one point taken offline for maintenance. They seem to be back now though.

March 10, 2009 (13:59): I'm getting a lot of traffic directly from the Norton forums; apparently 4chan is raiding them, linking to this post! The moderator's don't seem to be able to keep on top of the deleting anymore. I've got 174 active visitors just staring at this post as we speak.

March 10, 2009 (11:40): Digg is now available without proxies. This article [7] has been submitted. Digg it, we need something on the front page!

March 10, 2009 (10:42): There were a load of articles about this on Digg [8] and the whole site (yes, Digg) seems to have gone down. It's disappeared. Even 4chan is getting a little worked up. However, using a proxy server to access Digg works fine; are we being blocked from accessing it? This is getting weird.


Source: http://blog.bull3t.me.uk/archives/internet/the-mysterious-norton-cover-up-and-piftsexe/

URLs in this post:

[1] SANS Internet Storm Center: http://isc.sans.org/diary.html?storyid=5992
[2] Encyclopaedia Dramatica: http://encyclopediadramatica.com/Use...nrog/Pifts.exe
[3] "Magic Lantern": http://en.wikipedia.org/wiki/Magic_L...%28software%29
[4] The Washington Post: http://voices.washingtonpost.com/sec...in_of_mys.html
[5] The Inquirer: http://www.theinquirer.net/inquirer/...mantec-hackles
[6] Norton's community forums: http://community.norton.com/
[7] This article: http://digg.com/security/The_mysteri..._and_pifts_exe
[8] Digg: http://www.digg.com/
[9] this blog: http://www.tech-linkblog.com/2009/03...piftsexe.html/
[10] such as these: http://www.abovetopsecret.com/forum/thread444230/pg1
[11] ZoneAlarm's Forums: http://forums.zonealarm.org/zonelabs...443981#U443981
[12] one person reports: http://forums.zonealarm.org/zonelabs...ssage.id=19905





Cliffs:
- Symantec is including a file called PIFTS.exe with some of their Norton products.
- The file phones home (has been confirmed by sans.org).
- Symantec has been deleting mentions of it on their Norton Community Forums with no explanation as to why.
- Rumors are floating around that it might be related to "Magic Lantern."
- Current status: waiting for an explanation from Symantec.

USA-Immigrant
Newbie
Posts: 1
Registered: 03-10-2009

Unknown exception
e+000
GAIsProcessorFeaturePresent
KERNEL32
InitializeCriticalSectionAndSpinCount
kernel32.dllGetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
GetVersionExA
KERNEL32.dll
UnregisterClassA
USER32.dll
RegOpenKeyExW
RegCloseKey

d:\perforce\entiredepot\consumer_crt\patchtools\pa tch021809db\release\PIFTS.pdb

So why are my things being acessed? would you only need to acess the NORTON folder to find out the running stuff?

Someone disabled my forum access for asking several times about
PIFTS.EXE. This is troubling. For the record, I'm not associated with
4chan. Please re-enable my access.

I have to say, though, that if Symantec ever wants my business back,
you're going to have to do a whole lot better than that statement up
on the forum now.

You can't justify banning users for asking about PIFTS by citing the
4chan trolls, when the whole reason you were being trolled is because
legitimate questions were being removed from the forum. Your
justification doesn't jibe with reality; the timeline is all off.

Futhermore, the issue isn't that the executable file wasn't signed--
indeed, the actions of your company would have been more deplorable if
the PIFTS file hadn't tripped off everone's firewalls. You simply have
no business releasing an autoupdate that "phones home" without
securing the permission of the owner of the computer first. It's an
invasion of privacy.

You have yet to explain what action this file takes, what information
it's transmitting, and why it accesses the IE browsing history and
Google Desktop Search. You need to do so if you intend to reestablish
the trust this reprehensible action on the part of your company
breached.

Please respond.