Peter Ferrie
"qkumba"
Senior Anti-virus Researcher, Microsoft Corporation
email: peter.ferrie@gmail.com
NEWS
May 1: uploaded Anti-Unpacking tricks paper and slides.
April 30: uploaded fix for Lasse Rein Bøng 96, so that everyone can enjoy it.
April 28: uploaded fix for tAAt TMDC demos, so that everyone can enjoy them.
April 28: uploaded fix for Flight, so that everyone can enjoy it.
April 22: the presentation is finished, too. The link will be added in May after the conference.
If Uli had called it the Air Guitar, then it might have been more popular. :-)
BIO
Peter Ferrie began working with computers in 1981.
In 1986, he began developing anti-virus software for Apple II PCs.
From 1992-98, he worked for an Australian distributor of anti-virus software for IBM PCs, first Viruscan then F-Prot.
In 1998, he joined Frisk Software International, and moved to Iceland to work on the F-Prot engine.
In 2000, he joined Symantec Corporation, and returned to Australia.
In 2003, he moved to the USA.
In 2008, he joined Microsoft Corporation.
Ferrie specialises in the analysis of Win32 malware, reverse engineering code on multiple platforms, development of emulators, and detection of virtual machines.
He joined CARO (Computer Anti-virus Research Organisation) in 2001.
COMPANY PRESENTATIONS
Attacks on Virtual Machines v3 (slides) - Symantec Cutting Edge, October 2007
Attacks on Virtual Machines v2 (paper) (slides) - Symantec Technology Exchange, April 2007
CONFERENCE PAPERS
AVAR
Attacks on Virtual Machines (paper) (slides) - AVAR Conference, December 2006, Auckland, page 128-143
BLACK HAT
Don’t Tell Joanna - The Virtualized Rootkit Is Dead (slides) - Black Hat Conference, August 2007, Las Vegas (joint paper with Nate Lawson and Thomas Ptacek)
CARO WORKSHOP
New Anti-Unpacking Tricks (paper) (slides) - CARO Workshop, May 2008, Netherlands
VIRUS BULLETIN
Principles and Practise of X-raying - Virus Bulletin Conference, September 2004, Chicago, page 51-66 (joint paper with Frédéric Perriot)
Hunting for Metamorphic - Virus Bulletin Conference, September 2001, Prague, page 123-144 (joint paper with Péter Ször)
INTERNATIONAL PUBLICATIONS
VIRUS BULLETIN
Crimea River - Linux/Crimea, Virus Bulletin, February 2008, page 4-6
Something Smells Fishy - MSIL/Yakizake, Virus Bulletin, December 2007, page 7
Lions and Tigraas - TIOS/Tigraa, Virus Bulletin, July 2007, page 4
ANI-hilate This Week - technical feature, Virus Bulletin, May 2007, page 4-5
Hidan and Dangerous - W32/Chiton (Hidan), Virus Bulletin, March 2007, page 4-5
Cain and Abul - W64/Abul, Virus Bulletin, February 2007, page 4-5
Do The Macarena - OSX/Macarena, Virus Bulletin, January 2007, page 4-5
Leaps and Bounds - W32/Bounds, W64/Bounds, Virus Bulletin, December 2006, page 4-6
Chamber of Horrors - W32/Chamb, Virus Bulletin, October 2006, page 6-7
Gatt Got Your Tongue? - W32/Gatt, Virus Bulletin, September 2006, page 4-5
Tumours and Polips - W32/Polip, Virus Bulletin, July 2006, page 4-8
Inside the Windows Meta File Format - technical feature, Virus Bulletin, February 2006, page 5-8
Not Worthy - MSIL/Idonus, Virus Bulletin, February 2006, page 4
Inside the Microsoft Script Encoder - technical feature, Virus Bulletin, January 2006, page 4-5
Criss-Cross - MSH/Danom, {VBS/JS}/Cada, {O97M/VBS/JS}/Macar, Virus Bulletin, November 2005, page 4-5
Got [Mac]Root? - OSX/Weapox, Virus Bulletin, July 2005, page 4-5
It's Zell(d)ome The One You Expect - W32/Zellome, Virus Bulletin, May 2005, page 7-11 (joint article with Heather Shannon)
Paradise Lost - SymbOS/Commwarrior, Virus Bulletin, April 2005, page 4-6 (joint article with Frédéric Perriot)
Time Machine - C64/BHP, Virus Bulletin, January 2005, page 4-6
Look At That Escargot - MSIL/Gastropod, Virus Bulletin, December 2004, page 4-5
Let Them Eat Brioche - MSIL/Impanate, Virus Bulletin, November 2004, page 6-7
To Catch Efish - W32/Chiton (EfishNC), Virus Bulletin, October 2004, page 4-6 (joint article with Frédéric Perriot)
Mostly Harmless - W32/Sasser, Virus Bulletin, August 2004, page 5-8 (joint article with Frédéric Perriot)
Cabirn Fever - SymbOS/Cabir, Virus Bulletin, August 2004, page 4-5 (joint article with Péter Ször)
64-bit Rugrats - W64/Rugrat, Virus Bulletin, July 2004, page 4-6 (joint article with Péter Ször)
The Beagle Has Landed - W32/Beagle, Virus Bulletin website, June 2004
Chiba Witty Blues - W32/Witty, Virus Bulletin, May 2004, page 9-10 (joint article with Frédéric Perriot and Péter Ször)
The Wormpire Strikes Back - W32/Welchia, Virus Bulletin, April 2004, page 4-7 (joint article with Frédéric Perriot)
How Dumaru? - W32/Dumaru, Virus Bulletin, March 2004, page 4-9
Who? What? Where? Swen? - W32/Swen, Virus Bulletin, January 2004, page 4-10
Worm Wars - W32/Welchia, Virus Bulletin, October 2003, page 10-13 (joint article with Frédéric Perriot and Péter Ször)
Sobig, Sobigger, Sobiggest - W32/Sobig, Virus Bulletin, October 2003, page 5-10
Blast Off! - W32/Blaster, Virus Bulletin, September 2003, page 10-11 (joint article with Frédéric Perriot and Péter Ször)
You've Got More M(1**)a(D)i(L+K)l - W32/Chiton (JunkHTMaiL), Virus Bulletin, July 2003, page 6-7
Sleep-Inducing - W32/Serot, Virus Bulletin, April 2003, page 5-6
Looking a Bagift-Horse in the Mouth - W32/Bagif, Virus Bulletin, March 2003, page 4-5 (joint article with Frédéric Perriot)
You've Got M(1**)a(D)i(L+K)l - W32/Chiton (JunkMail), Virus Bulletin, November 2002, page 10-11
Attack of the Clones - W32/Chiton (Gemini), Virus Bulletin, September 2002, page 4-5
Un combate con el Kerñado - W32/Elkern, Virus Bulletin, August 2002, page 8-9
Raised Hacklez - W32/Klez, Virus Bulletin, July 2002, page 8-11
Unexpected Resutls [sic] - W32/Chiton (Shrug), Virus Bulletin, June 2002, page 4-5
Striking Similarities - W32/Simile, Virus Bulletin, May 2002, page 4-6 (joint article with Frédéric Perriot and Péter Ször)
Bad Transfer - W32/Badtrans, Virus Bulletin, February 2002, page 8-10 (joint article with Péter Ször)
Sircamstantial Evidence - W32/Sircam, Virus Bulletin, September 2001, page 8-10 (joint article with Péter Ször)
Magisterium Abraxas - W32/Magistr, Virus Bulletin, May 2001, page 6-7
Zmist Opportunities - W32/ZMist, Virus Bulletin, March 2001, page 6-7 (joint article with Péter Ször)
SECURITY FOCUS
Detecting Complex Viruses - technical feature, Security Focus, December 2004
UNPUBLISHED
Mimi and Mi Too - W32/Mimail
SECURITY
Microsoft Windows 9x/Me/NT/2000/XP .hlp arbitrary code execution (2007)
Microsoft Windows NT/2000/XP/2003 .vbe/.jse arbitrary code execution (2007)
Microsoft Windows "base63" encoding (2007)
Microsoft Windows NT 133-bytes .exe BSOD (2007)
Microsoft Windows NT/2000/XP invalid-encoding script execution (2005)
Microsoft Windows NT/2000/XP WSH DoS (2005)
Microsoft Windows 98/Me .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 32-bytes .avi DoS (2005)
Microsoft Windows NT/2000/XP/2003 .emf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .wmf arbitrary code execution (2005)
Microsoft Windows NT/2000/XP/2003 .grp arbitrary code execution (2004)
Microsoft Windows NT/2000/XP/2003 24-bytes .wmf DoS (2004)
Microsoft Windows NT/2000/XP 99-bytes .exe BSOD (2002)
Microsoft Office Macro Security Vulnerabilities (2001)
FUN STUFF
The "Life In ..." series
My favourite demos
Old games that I finally beat
My Brøderbund info
My Infocom info
Scan of the Month 33
My Lode Runner levels (Apple II disk image)
Old coding stuff (including Atlantis and Hydra)
GREETINGS
painters: 007, Angel, Aster, Banish, Bizar, Chams, Custom, Droogie, Dys, Kagent, Kaine, Kerupt, KOS, Mister E, Orsam, RCF, Ree, Rize, Sink, TPee, Unique (Sinz, Spice)
Apple II: Colwyn, Home Hacker, Maz, Prototype (not the ex-virus writer on IBM PCs) (Bandits, Plasmania), Rebel, San Inc, Seroster, TCS, TTT
LINKS
Painters: 50mm Los Angeles
Apple II: Asimov (ftp)
Comics: Baby Blues, General Protection Fault, Liō, Sinfest, User Friendly
Other: Oldskool, Old School ;-)
Is your HTML standards-compliant? Find out
Copyright (c) 1998-2008 Peter Ferrie
All rights reserved
Virus Bulletin article copyrights are held by Virus Bulletin Ltd,
but made available on this site for personal use free of charge
by permission of Virus Bulletin
