Copyright 2006 by Rules |
Peter Ferrie
"qkumba"
(also "peterferrie" on OpenRCE and DOSBox)
Senior Anti-virus Researcher, Microsoft Corporation
email: peter.ferrie@gmail.com
NEWS
January 1: Anti-Unpacker Tricks 2 Part One is now available here, published in Virus Bulletin December 2008.
December 11: Anti-Unpacker Tricks Part Two will be published in Virus Bulletin January 2009.
December 1: uploaded Exract article, published in Virus Bulletin November 2008.
November 30: added DOSBox fix for X-Men.
November 29: added DOSBox fix for Contra.
If Uli had called it the Air Guitar, then it might have been more popular. :-)
BIO
Peter Ferrie began working with computers in 1981.
In 1986, he began developing anti-virus software for Apple II PCs.
From 1992-1998, he worked for an Australian distributor of anti-virus software for IBM PCs, first Viruscan then F-Prot.
From 1998-2000, he worked for Frisk Software International in Iceland.
From 2000-2003, he worked for Symantec Corporation in Australia.
From 2003-2008, he worked for Symantec Corporation in the USA.
In 2008, he joined Microsoft Corporation.
Ferrie specialises in the analysis of Win32 malware, reverse engineering code on multiple platforms, development of emulators, and detection of virtual machines.
He joined CARO (Computer Anti-virus Research Organisation) in 2001.
COMPANY PRESENTATIONS
Attacks on Virtual Machines v3 (slides) - Symantec Cutting Edge, October 2007
Attacks on Virtual Machines v2 (paper) (slides) - Symantec Technology Exchange, April 2007
CONFERENCE PAPERS
AVAR
Attacks on Virtual Machines (paper) (slides) - AVAR Conference, December 2006, Auckland, page 128-143
BLACK HAT
Don’t Tell Joanna - The Virtualized Rootkit Is Dead (slides) - Black Hat Conference, August 2007, Las Vegas (joint paper with Nate Lawson and Thomas Ptacek)
CARO WORKSHOP
Anti-Unpacker Tricks (paper) (slides) - CARO Workshop, May 2008, Amsterdam
VIRUS BULLETIN
Principles and Practise of X-raying - Virus Bulletin Conference, September 2004, Chicago, page 51-66 (joint paper with Frédéric Perriot)
Hunting for Metamorphic - Virus Bulletin Conference, September 2001, Prague, page 123-144 (joint paper with Péter Ször)
INTERNATIONAL PUBLICATIONS
VIRUS BULLETIN
New Anti-Unpacker Tricks 2 Part Two, Virus Bulletin, January 2009, page 4-9 (link available here in February 2009, and here for Virus Bulletin subscribers in January 2009)
New Anti-Unpacker Tricks 2 Part One, Virus Bulletin, December 2008, page 4-8
New XXX Racted - W32/Exract, Virus Bulletin, November 2008, page 4-6
Whither the Harumf? - W32/Harumf, Virus Bulletin, October 2008, page 4-6
Prophet and Loss - W32/Divino, Virus Bulletin, September 2008, page 4-6
The Road Less Truvelled - W32/Truvel, Virus Bulletin, July 2008, page 4-5
Crimea River - Linux/Crimea, Virus Bulletin, February 2008, page 4-6
Something Smells Fishy - MSIL/Yakizake, Virus Bulletin, December 2007, page 7
Lions and Tigraas - TIOS/Tigraa, Virus Bulletin, July 2007, page 4
ANI-hilate This Week - technical feature, Virus Bulletin, May 2007, page 4-5
Hidan and Dangerous - W32/Chiton (Hidan), Virus Bulletin, March 2007, page 4-5
Cain and Abul - W64/Abul, Virus Bulletin, February 2007, page 4-5
Do The Macarena - OSX/Macarena, Virus Bulletin, January 2007, page 4-5
Leaps and Bounds - W32/Bounds, W64/Bounds, Virus Bulletin, December 2006, page 4-6
Chamber of Horrors - W32/Chamb, Virus Bulletin, October 2006, page 6-7
Gatt Got Your Tongue? - W32/Gatt, Virus Bulletin, September 2006, page 4-5
Tumours and Polips - W32/Polip, Virus Bulletin, July 2006, page 4-8
Inside the Windows Meta File Format - technical feature, Virus Bulletin, February 2006, page 5-8
Not Worthy - MSIL/Idonus, Virus Bulletin, February 2006, page 4
Inside the Microsoft Script Encoder - technical feature, Virus Bulletin, January 2006, page 4-5
Criss-Cross - MSH/Danom, {VBS/JS}/Cada, {O97M/VBS/JS}/Macar, Virus Bulletin, November 2005, page 4-5
Got [Mac]Root? - OSX/Weapox, Virus Bulletin, July 2005, page 4-5
It's Zell(d)ome The One You Expect - W32/Zellome, Virus Bulletin, May 2005, page 7-11 (joint article with Heather Shannon)
Paradise Lost - SymbOS/Commwarrior, Virus Bulletin, April 2005, page 4-6 (joint article with Frédéric Perriot)
Time Machine - C64/BHP, Virus Bulletin, January 2005, page 4-6
Look At That Escargot - MSIL/Gastropod, Virus Bulletin, December 2004, page 4-5
Let Them Eat Brioche - MSIL/Impanate, Virus Bulletin, November 2004, page 6-7
To Catch Efish - W32/Chiton (EfishNC), Virus Bulletin, October 2004, page 4-6 (joint article with Frédéric Perriot)
Mostly Harmless - W32/Sasser, Virus Bulletin, August 2004, page 5-8 (joint article with Frédéric Perriot)
Cabirn Fever - SymbOS/Cabir, Virus Bulletin, August 2004, page 4-5 (joint article with Péter Ször)
64-bit Rugrats - W64/Rugrat, Virus Bulletin, July 2004, page 4-6 (joint article with Péter Ször)
The Beagle Has Landed - W32/Beagle, Virus Bulletin website, June 2004
Chiba Witty Blues - W32/Witty, Virus Bulletin, May 2004, page 9-10 (joint article with Frédéric Perriot and Péter Ször)
The Wormpire Strikes Back - W32/Welchia, Virus Bulletin, April 2004, page 4-7 (joint article with Frédéric Perriot)
How Dumaru? - W32/Dumaru, Virus Bulletin, March 2004, page 4-9
Who? What? Where? Swen? - W32/Swen, Virus Bulletin, January 2004, page 4-10
Worm Wars - W32/Welchia, Virus Bulletin, October 2003, page 10-13 (joint article with Frédéric Perriot and Péter Ször)
Sobig, Sobigger, Sobiggest - W32/Sobig, Virus Bulletin, October 2003, page 5-10
Blast Off! - W32/Blaster, Virus Bulletin, September 2003, page 10-11 (joint article with Frédéric Perriot and Péter Ször)
You've Got More M(1**)a(D)i(L+K)l - W32/Chiton (JunkHTMaiL), Virus Bulletin, July 2003, page 6-7
Sleep-Inducing - W32/Serot, Virus Bulletin, April 2003, page 5-6
Looking a Bagift-Horse in the Mouth - W32/Bagif, Virus Bulletin, March 2003, page 4-5 (joint article with Frédéric Perriot)
You've Got M(1**)a(D)i(L+K)l - W32/Chiton (JunkMail), Virus Bulletin, November 2002, page 10-11
Attack of the Clones - W32/Chiton (Gemini), Virus Bulletin, September 2002, page 4-5
Un combate con el Kerñado - W32/Elkern, Virus Bulletin, August 2002, page 8-9
Raised Hacklez - W32/Klez, Virus Bulletin, July 2002, page 8-11
Unexpected Resutls [sic] - W32/Chiton (Shrug), Virus Bulletin, June 2002, page 4-5
Striking Similarities - W32/Simile, Virus Bulletin, May 2002, page 4-6 (joint article with Frédéric Perriot and Péter Ször)
Bad Transfer - W32/Badtrans, Virus Bulletin, February 2002, page 8-10 (joint article with Péter Ször)
Sircamstantial Evidence - W32/Sircam, Virus Bulletin, September 2001, page 8-10 (joint article with Péter Ször)
Magisterium Abraxas - W32/Magistr, Virus Bulletin, May 2001, page 6-7
Zmist Opportunities - W32/ZMist, Virus Bulletin, March 2001, page 6-7 (joint article with Péter Ször)
SECURITY FOCUS
Detecting Complex Viruses - technical feature, Security Focus, December 2004
UNPUBLISHED
Mimi and Mi Too - W32/Mimail
SECURITY
HideOD NtQueryInformationProcess DoS (2008)
ICEExt ZwCreateFile DoS (2008)
ICEExt ZwQueryDirectoryObject DoS (2008)
IDA Stealth NtQuerySystemInformation DoS (2008)
Immunity Debugger Base Relocation Directory Size integer overflow DoS (2008)
Immunity Debugger Export Address Table Entries integer overflow DoS (2008)
Interactive DisAssembler Base Relocation Directory Size DoS (2008)
Olly Advanced NtQueryObject DoS (2008)
Olly Advanced NtQueryInformationProcess DoS (2008)
Olly Advanced NtQuerySystemInformation DoS (2008)
OllyDbg Base Relocation Directory Size integer overflow DoS (2008)
OllyDbg Export Address Table Entries integer overflow DoS (2008)
OllyDbg __fuistq DoS (2008)
OllyInvisible NtReadVirtualMemory DoS (2008)
Turbo Debug32 Import Table Directory Size DoS (2008)
Turbo Debug32 Import Table Ordinal Count DoS (2008)
Turbo Debug32 Import Table Ordinal Table Pointer DoS (2008)
Turbo Debug32 incorrect instruction decoding transfer of control (2008)
Turbo Debug32 command-line arbitrary code execution (2008)
dbghlp.dll arbitrary code execution (2008)
SoftICE BCHKW BSOD (2008)
SoftICE DeviceIoControl BSOD (2008)
SoftICE NumberOfRvaAndSizes off-by-one BSOD (2008)
SoftICE OutputDebugString32 BSOD (2008)
SoftICE OutputDebugString16 BSOD (2008)
Syser DeviceIoControl BSOD (2008)
Syser Direction Flag BSOD (2008)
Syser BREAKPOINT_PRINT BSOD (2008)
Syser BREAKPOINT_UNLOAD_SYMBOLS BSOD (2008)
Microsoft Windows 9x/Me/NT/2000/XP .hlp arbitrary code execution (2007)
Microsoft Windows NT/2000/XP/2003 .vbe/.jse arbitrary code execution (2007)
Microsoft Windows "base63" encoding (2007)
Microsoft Windows NT 133-bytes .exe BSOD (2007)
Microsoft Windows NT/2000/XP invalid-encoding script execution (2005)
Microsoft Windows NT/2000/XP WSH DoS (2005)
Microsoft Windows 98/Me .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 32-bytes .avi DoS (2005)
Microsoft Windows NT/2000/XP/2003 .emf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .grp arbitrary code execution (2004)
Microsoft Windows NT/2000/XP/2003 24-bytes .wmf DoS (2004)
Microsoft Windows NT/2000/XP 99-bytes .exe BSOD (2002)
Microsoft Office Macro Security Vulnerabilities (2001)
FUN STUFF
The "Life In ..." series
My favourite demos
Old games that I finally beat
My Brøderbund info
My Infocom info
Scan of the Month 33
My Lode Runner levels (Apple II disk image)
Old coding stuff (including Atlantis and Hydra)
GREETINGS
painters: 007, Angel, Aster, Banish, Bizar, Chams, Custom, Droogie, Dys, Kagent, Kaine, Kerupt, KOS, Mister E, Orsam, RCF, Ree, Rize, Sink, TPee, Unique (Sinz, Spice)
Apple II: Colwyn, Home Hacker, Maz, Prototype (not the ex-virus writer on IBM PCs) (Bandits, Plasmania), Rebel, San Inc, Seroster, TCS, TTT
LINKS
Painters: 50mm Los Angeles
Apple II: Asimov (ftp)
Comics: 9 Chickweed Lane, Baby Blues, General Protection Fault, Liō, Sinfest, User Friendly
Other: Oldskool, Old School ;-)
Is your HTML standards-compliant? Find out
Copyright (c) 1998-2008 Peter FerrieAll rights reserved
Virus Bulletin article copyrights are held by Virus Bulletin Ltd,but made available on this site for personal use free of chargeby permission of Virus Bulletin
| --BEGIN VALIDATION CODE-- B dFsTvRuAkQ sHrGrOaAsP v MrCoNnTqX iXxCeRbCxY vNkLyBtStQlOvC lC nHmQ qGr PvYhPqY fH xOiUvXhE yUpW e MkAcYoLhQjX vLwB hIyA i JxG cDaFuCa TtKnT uWhXhCrAsF dOyPlD dW gT vMkQ pOqPnJbT aAwPoDrLaGdVcMyN lNaWfYvEiCcO nIfQ qPuDuReS eHkWhM eWkJtUdJbCeZlRsEwQ gYoJqBaD s GoRiJ hGgWvB lUiX tKsX kRzQ dVtQwNkYuA hohositeX2006 --END VALIDATION CODE-- |
