Valid HTML 3.2!

Peter Ferrie
"qkumba"
(also "peterferrie" on OpenRCE and DOSBox)

Senior Anti-virus Researcher, Microsoft Corporation
email: peter.ferrie@gmail.com

Wizard of Oz





NEWS

November 13: Added DOSBox fix for Orion Burger.
November 13: Satevis article will be published in Virus Bulletin December 2009.
November 1: Pilot article is now available here, published in Virus Bulletin October 2009.
October 21: Zekneol article will be published in Virus Bulletin November 2009.
October 12: Added DOSBox fix for Championship Manager 2 '95.


If Uli had called it the Air Guitar, then it might have been more popular. :-)




BIO

Peter Ferrie began working with computers in 1981.
In 1986, he began developing anti-virus software for Apple II PCs.
From 1992-1998, he worked for an Australian distributor of anti-virus software for IBM PCs, first Viruscan then F-Prot.
From 1998-2000, he worked for Frisk Software International in Iceland.
From 2000-2003, he worked for Symantec Corporation in Australia.
From 2003-2008, he worked for Symantec Corporation in the USA.
In 2008, he joined Microsoft Corporation.

Ferrie specialises in the analysis of Win32 malware, reverse engineering code on multiple platforms, development of emulators and unpackers, and detection of virtual machines.
He has been a speaker at various conferences, and is a frequent contributor to the Virus Bulletin journal.
He joined CARO (Computer Anti-virus Research Organisation) in 2001.




COMPANY PRESENTATIONS

Attacks on Virtual Machines v3 (slides) - Symantec Cutting Edge, October 2007
Attacks on Virtual Machines v2 (paper) (slides) - Symantec Technology Exchange, April 2007




CONFERENCE PAPERS

AVAR

Attacks on Virtual Machines (paper) (slides) - AVAR Conference, December 2006, Auckland, page 128-143




BLACK HAT

Don't Tell Joanna - The Virtualized Rootkit Is Dead (slides) - Black Hat Conference, August 2007, Las Vegas (joint paper with Nate Lawson and Thomas Ptacek)




CARO WORKSHOP

Anti-Unpacker Tricks (paper) (slides) - CARO Workshop, May 2008, Amsterdam




RECENT ADVANCES in INTRUSION DETECTION

A Study of the Packer Problem and Its Solutions (slides) - RAID, August 2008, Cambridge (joint paper with Fanglu Guo and Tzi-Cker Chiueh)




VIRUS BULLETIN

Principles and Practise of X-raying - Virus Bulletin Conference, September 2004, Chicago, page 51-66 (joint paper with Frédéric Perriot)
Hunting for Metamorphic - Virus Bulletin Conference, September 2001, Prague, page 123-144 (joint paper with Péter Ször)




INTERNATIONAL PUBLICATIONS

VIRUS BULLETIN

New Twinkle Twinkle Little Star - W32/Satevis, Virus Bulletin, December 2009, page 4-7 (link available here in January 2010, and here for Virus Bulletin subscribers in December)
New Prescription Medicine - W32/Zekneol, Virus Bulletin, November 2009, page 4-7 (link available here in December 2009, and here for Virus Bulletin subscribers right now)
New Flying Solo, Virus Bulletin, October 2009, page 4-5
Heads or Tails, Virus Bulletin, September 2009, page 4-5
Making a Hash of Things, Virus Bulletin, August 2009, page 4-5
Can You Spare a Seg?, Virus Bulletin, July 2009, page 4-5
Anti-Unpacker Tricks 2 Part Seven, Virus Bulletin, June 2009, page 4-10
Anti-Unpacker Tricks 2 Part Six, Virus Bulletin, May 2009, page 4-9
Anti-Unpacker Tricks 2 Part Five, Virus Bulletin, April 2009, page 4-8
Anti-Unpacker Tricks 2 Part Four, Virus Bulletin, March 2009, page 4-7
Anti-Unpacker Tricks 2 Part Three, Virus Bulletin, February 2009, page 4-9
Anti-Unpacker Tricks 2 Part Two, Virus Bulletin, January 2009, page 4-9
Anti-Unpacker Tricks 2 Part One, Virus Bulletin, December 2008, page 4-8
XXX Racted - W32/Exract, Virus Bulletin, November 2008, page 4-6
Whither the Harumf? - W32/Harumf, Virus Bulletin, October 2008, page 4-6
Prophet and Loss - W32/Divino, Virus Bulletin, September 2008, page 4-6
The Road Less Truvelled - W32/Truvel, Virus Bulletin, July 2008, page 4-5
Crimea River - Linux/Crimea, Virus Bulletin, February 2008, page 4-6
Something Smells Fishy - MSIL/Yakizake, Virus Bulletin, December 2007, page 7
Lions and Tigraas - TIOS/Tigraa, Virus Bulletin, July 2007, page 4
ANI-hilate This Week - technical feature, Virus Bulletin, May 2007, page 4-5
Hidan and Dangerous - W32/Chiton (Hidan), Virus Bulletin, March 2007, page 4-5
Cain and Abul - W64/Abul, Virus Bulletin, February 2007, page 4-5
Do The Macarena - OSX/Macarena, Virus Bulletin, January 2007, page 4-5
Leaps and Bounds - W32/Bounds, W64/Bounds, Virus Bulletin, December 2006, page 4-6
Chamber of Horrors - W32/Chamb, Virus Bulletin, October 2006, page 6-7
Gatt Got Your Tongue? - W32/Gatt, Virus Bulletin, September 2006, page 4-5
Tumours and Polips - W32/Polip, Virus Bulletin, July 2006, page 4-8
Inside the Windows Meta File Format - technical feature, Virus Bulletin, February 2006, page 5-8
Not Worthy - MSIL/Idonus, Virus Bulletin, February 2006, page 4
Inside the Microsoft Script Encoder - technical feature, Virus Bulletin, January 2006, page 4-5
Criss-Cross - MSH/Danom, {VBS/JS}/Cada, {O97M/VBS/JS}/Macar, Virus Bulletin, November 2005, page 4-5
Got [Mac]Root? - OSX/Weapox, Virus Bulletin, July 2005, page 4-5
It's Zell(d)ome The One You Expect - W32/Zellome, Virus Bulletin, May 2005, page 7-11 (joint article with Heather Shannon)
Paradise Lost - SymbOS/Commwarrior, Virus Bulletin, April 2005, page 4-6 (joint article with Frédéric Perriot)
Time Machine - C64/BHP, Virus Bulletin, January 2005, page 4-6
Look At That Escargot - MSIL/Gastropod, Virus Bulletin, December 2004, page 4-5
Let Them Eat Brioche - MSIL/Impanate, Virus Bulletin, November 2004, page 6-7
To Catch Efish - W32/Chiton (EfishNC), Virus Bulletin, October 2004, page 4-6 (joint article with Frédéric Perriot)
Mostly Harmless - W32/Sasser, Virus Bulletin, August 2004, page 5-8 (joint article with Frédéric Perriot)
Cabirn Fever - SymbOS/Cabir, Virus Bulletin, August 2004, page 4-5 (joint article with Péter Ször)
64-bit Rugrats - W64/Rugrat, Virus Bulletin, July 2004, page 4-6 (joint article with Péter Ször)
The Beagle Has Landed - W32/Beagle, Virus Bulletin website, June 2004
Chiba Witty Blues - W32/Witty, Virus Bulletin, May 2004, page 9-10 (joint article with Frédéric Perriot and Péter Ször)
The Wormpire Strikes Back - W32/Welchia, Virus Bulletin, April 2004, page 4-7 (joint article with Frédéric Perriot)
How Dumaru? - W32/Dumaru, Virus Bulletin, March 2004, page 4-9
Who? What? Where? Swen? - W32/Swen, Virus Bulletin, January 2004, page 4-10
Worm Wars - W32/Welchia, Virus Bulletin, October 2003, page 10-13 (joint article with Frédéric Perriot and Péter Ször)
Sobig, Sobigger, Sobiggest - W32/Sobig, Virus Bulletin, October 2003, page 5-10
Blast Off! - W32/Blaster, Virus Bulletin, September 2003, page 10-11 (joint article with Frédéric Perriot and Péter Ször)
You've Got More M(1**)a(D)i(L+K)l - W32/Chiton (JunkHTMaiL), Virus Bulletin, July 2003, page 6-7
Sleep-Inducing - W32/Serot, Virus Bulletin, April 2003, page 5-6
Looking a Bagift-Horse in the Mouth - W32/Bagif, Virus Bulletin, March 2003, page 4-5 (joint article with Frédéric Perriot)
You've Got M(1**)a(D)i(L+K)l - W32/Chiton (JunkMail), Virus Bulletin, November 2002, page 10-11
Attack of the Clones - W32/Chiton (Gemini), Virus Bulletin, September 2002, page 4-5
Un combate con el Kerñado - W32/Elkern, Virus Bulletin, August 2002, page 8-9
Raised Hacklez - W32/Klez, Virus Bulletin, July 2002, page 8-11
Unexpected Resutls [sic] - W32/Chiton (Shrug), Virus Bulletin, June 2002, page 4-5
Striking Similarities - W32/Simile, Virus Bulletin, May 2002, page 4-6 (joint article with Frédéric Perriot and Péter Ször)
Bad Transfer - W32/Badtrans, Virus Bulletin, February 2002, page 8-10 (joint article with Péter Ször)
Sircamstantial Evidence - W32/Sircam, Virus Bulletin, September 2001, page 8-10 (joint article with Péter Ször)
Magisterium Abraxas - W32/Magistr, Virus Bulletin, May 2001, page 6-7
Zmist Opportunities - W32/ZMist, Virus Bulletin, March 2001, page 6-7 (joint article with Péter Ször)




SECURITY FOCUS

Detecting Complex Viruses - technical feature, Security Focus, December 2004




UNPUBLISHED

Mimi and Mi Too - W32/Mimail




SECURITY

HideOD NtQueryInformationProcess DoS (2008)
HideSyser NtCreateFile DoS (2009) ICEExt ZwCreateFile DoS (2008)
ICEExt ZwQueryDirectoryObject DoS (2008)
IDA Stealth DbgUiConvertStateChangeStructure DoS (2009)
IDA Stealth NtQuerySystemInformation DoS (2008)
IDA Stealth RDTSC BSOD (2009)
IDA Stealth RtlGetVersion DoS (2009)
Immunity Debugger Base Relocation Directory Size integer overflow DoS (2008)
Immunity Debugger Export Address Table Entries integer overflow DoS (2008)
Interactive DisAssembler Base Relocation Directory Size DoS (2008)
Olly Advanced NtQueryObject DoS (2008)
Olly Advanced NtQueryInformationProcess DoS (2008)
Olly Advanced NtQuerySystemInformation DoS (2008)
OllyDbg Base Relocation Directory Size integer overflow DoS (2008)
OllyDbg Export Address Table Entries integer overflow DoS (2008)
OllyDbg __fuistq DoS (2008)
OllyICE __fuistq DoS (2008)
OllyInvisible NtReadVirtualMemory DoS (2008)
Turbo Debug32 Import Table Directory Size DoS (2008)
Turbo Debug32 Import Table Ordinal Count DoS (2008)
Turbo Debug32 Import Table Ordinal Table Pointer DoS (2008)
Turbo Debug32 incorrect instruction decoding transfer of control (2008)
Turbo Debug32 command-line arbitrary code execution (2008)
dbghlp.dll arbitrary code execution (2008)
SoftICE BCHKW BSOD (2008)
SoftICE DeviceIoControl BSOD (2008)
SoftICE NumberOfRvaAndSizes off-by-one BSOD (2008)
SoftICE OutputDebugString32 BSOD (2008)
SoftICE OutputDebugString16 BSOD (2008)
Stealth64 DbgUiConvertStateChangeStructure DoS (2008) Syser DeviceIoControl BSOD (2008)
Syser Direction Flag BSOD (2008)
Syser BREAKPOINT_PRINT BSOD (2008)
Syser BREAKPOINT_UNLOAD_SYMBOLS BSOD (2008)
Microsoft Windows 9x/Me/NT/2000/XP .hlp arbitrary code execution (2007)
Microsoft Windows NT/2000/XP/2003 .vbe/.jse arbitrary code execution (2007)
Microsoft Windows "base63" encoding (2007)
Microsoft Windows NT 133-bytes .exe BSOD (2007)
Microsoft Windows NT/2000/XP invalid-encoding script execution (2005)
Microsoft Windows NT/2000/XP WSH DoS (2005)
Microsoft Windows 98/Me .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 32-bytes .avi DoS (2005)
Microsoft Windows NT/2000/XP/2003 .emf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .grp arbitrary code execution (2004)
Microsoft Windows NT/2000/XP/2003 24-bytes .wmf DoS (2004)
Microsoft Windows NT/2000/XP 99-bytes .exe BSOD (2002)
Microsoft Office Macro Security Vulnerabilities (2001)




LOW-LEVEL

Locked and Loaded (2007)
x86 Fetch-Decode Anomalies (2007)




FUN STUFF

The "Life In ..." series
My favourite demos
DOSBox fixes for demos and games
Old games that I finally beat
My Brøderbund info
My Infocom info
Scan of the Month 33
Apple II stuff
Old coding stuff (including Atlantis and Hydra)




GREETINGS

painters: 007, Angel, Aster, Banish, Bizar, Chams, Custom, Droogie, Dys, Kagent, Kaine, Kerupt, KOS, Mister E, Orsam, RCF, Ree, Rize, Sink, TPee, Unique (Sinz, Spice)
Apple II: Colwyn, Home Hacker, Maz, Prototype (not the ex-virus writer on IBM PCs) (Bandits, Plasmania), Rebel, San Inc (Karateka side A, Karateka side B), Seroster, TCS, TTT


LINKS

Painters: 50mm Los Angeles
Apple II: Asimov (ftp)
Comics: 9 Chickweed Lane, Baby Blues, General Protection Fault, Liō, Sinfest, User Friendly
Other: Oldskool, Old School ;-)

Is your HTML standards-compliant? Find out

Copyright (c) 1998-2009 Peter Ferrie
All rights reserved
Virus Bulletin article copyrights are held by Virus Bulletin Ltd,
but made available on this site for personal use free of charge
by permission of Virus Bulletin

I'm a Technical Advisor for "Silent Runners.vbs" - use it to find out what starts up with Windows!