Interview with Peter Ferrie by hh86 and SPTH Peter Ferrie worked as Lead Developer in Frisk Software International (founded by Friđrik Skúlason. Owner of F-Prot anti-virus). He worked as Technical Director for Symantec Corporation (NORTON anti-virus). Since 2008, he is Principal Anti-virus Researcher at Microsoft Corporation. In 2010 he won the Greatest contribution to the anti-malware industry in the last ten years VirusBulletin award. He is an expert on malware analysis on multiple platforms. The interview was done in a couple of sessions, finished in january 2012. You can find Peter's page at http://pferrie.host22.com/index.htm and send him e-Mails to peter.ferrie@gmail.com Have fun! :) ::: Hello Peter, thanks for accepting this interview request. I hope you enjoy it. Please talk to us a bit about yourself, how old are you? How are you physically? What do you do on your free time? Any hobbies? ;) pf: Thanks for inviting me. pf: How old am I? Today, it feels like 500. pf: Physically, 170cm tall, thin, white, glasses. You can probably find some pf: pictures of me on the net, but people don't take too many photos of me. pf: Free time? Ha, it exists only in legends. If you check my website, you pf: can get an idea of what I did in past years when I did have time - I wrote pf: stories about my life, watched demos, worked on DOSBox, and played old pf: games. I'm still hacking on the Apple, too. ::: On your site you wrote you began working on computers in 1981, so 30 years now! But I guess you had contact with computer much before 1981. So, when did you met your first machine, what was it? pf: 30 years already? I feel so old now. :-) pf: The first computer was a Commodore PET. It had a tape drive and some games. pf: It was 1981. At that time, I lacked the skill to play the games well, but pf: eventually I worked out how to list the BASIC code for the game, and... pf: "lives=lives-1" became "lives=lives-0". I was coding for real soon after. ::: We can find a pretty long list of elder games you've played. Are there games you have not managed to beat yet? pf: I've beaten the ones that I've played (sometimes decades later), but as you can pf: see from my site, I have not played much in the last year. pf: No doubt there are many games that I would like, but which I have not played and pf: thus not beaten. Yet. ;-) ::: How do you take part of the demo scene? Why do you like it? Have you made your own demos? pf: I collect and watch demos. I have a favourite set, but there's a gap around pf: 1998-2000, and another at 2006+, because I have not watched many of them yet. pf: I'm way behind. pf: I like the idea of making the machine do things that were not explicitly pf: allowed. On the Apple II, it was making a square-wave generator play digitised pf: sound, or displaying two screen resolutions at the same time, or smooth pf: scrolling without flicker. pf: I have my demos for the Apple II somewhere. Nothing on the PC. I focused on pf: size optimisation competitions on the PC, rather than visual effects. ::: You seem to have an alias, "qkumba", too. ;) What's the story behind it? When do you use it? pf: When I was teaching a class at school, I decided that everyone should make up a pf: funny name in a way that played with sounds. Of course I chose one for myself. ::: Teacher Mr. Ferrie? Tell us more about it, when did it took place? Where? What were you teaching? pf: I taught an assembly language "master class" while I was in high school. pf: Computers in schools weren't common at the time, so most people had little or no pf: experience with them (including the real teacher), so I took over. ::: Why you decided to devote your life to computers? pf: I would not say that I decided to do it, I just haven't stopped yet. ::: You always worked with computers or you had other jobs? Can you tell us about them? :) pf: I've always worked with computers, and always AV, but also some others at pf: the same time. pf: I had a funny job related to catching prawns for a big fisheries company. pf: It started as data entry, then graphing curves, then data analysis, lots of pf: statistics. I had that job for a long time. pf: What else? I used to write reviews of shareware software on the PC. ::: In 2010 you had an unfortunate accident, what happened? Are you okay now? pf: A car drove onto the footpath where I was walking, and crushed my leg against pf: the wall. Amazingly, the leg did not break. Some people asked me if it was pf: the Mossad. I can neither confirm nor deny that. ;-) pf: It took about six months with the doctors until I could walk properly again. pf: The skin healed really well, and it looks normal now (little scar), but the pf: damage to the nerves might be permanent. -------------------------------------------------------------------------------- virus related stuff now -------------------------------------------------------------------------------- ::: What was your first experience with a virus? Some people get interested in and begin to write viruses. But you became an AVer, why? Did such virus had an influence on selecting your career? pf: On the Apple II, it was on the machines at school. At that time pf: (1986), viruses didn't have names, just descriptions of behaviour. pf: Someone kept infecting the boot disks and I kept cleaning them. The pf: techniques improved very quickly - hiding in extended memory to avoid pf: detection in main memory, surviving ctrl-reset... pf: On the Amiga, it was Byte Bandit in 1988. All of my game disks got pf: infected, and one by one they started to fail (Byte Bandit had a pf: destructive payload). No-one write-protected anything in those days. pf: On the PC, it was Jerusalem where I was working in 1989. pf: It was interfering with the job, so I had to defeat it. To do that, I had pf: to understand it. However, that had nothing to do with my career. pf: I got into the industry by accident. I left school, I needed a job, I sent pf: my resume to a *lot* of companies. An AV company called me and asked me to pf: come for an interview. They offered me the job right away. It was 1992. ::: Have you ever written anything like a virus? pf: Only for Core War. ::: In "Interview with Sarah Gordon", Gigabyte asked: Imagine you had a son or daughter and you found out he/she was a virus writer... How would you react? Same question goes to you Peter. ;) pf: I'll worry about that if it ever happens. Too hypothetical right now. pf: I could also spend my days worrying about meteors landing on my home, or I pf: could focus on the things that are happening right now. ::: Do you have anything like a favorite virus? Maybe the most interesting to analyze. pf: I have fond memories now (but not at the time) of sleeping under my desk pf: while working on detecting ZMist. One person, one virus. That was hard pf: work. These days, we have so many good people around the world, we can pf: pass the sample to the next time zone at the end of the day and they can pf: continue. ::: What were the most surprising viruses that you encountered in your carrer, why? pf: I think that I'd reached the stage where I'm not surprised anymore, just pf: annoyed. ;-) It's inconvenient when a new EPO style is found. At least I pf: haven't needed to buy any new hardware for years. That Itanium box was pf: really noisy, and I burned myself on the first x64 system because it ran pf: so hot. Those were the good days. ::: What were for you the most challenging viruses to detect? pf: ZMist was probably #1 for me at the time, but I'm a bit more skilled now. pf: Simile, Efish, Zellome, Crimea... old stuff. pf: Writing detections is not my primary work anymore, but I'll work on Evoris. ::: Several researchers have worked on the topic of Undetectable Viruses (David Chess & Steve White, Z0mbie, etc). What do you think about their results? Do you think commercial can fully detect every single computer virus with no long time of scanning, low false positives...? pf: Everything can be detected eventually, no matter what the research says. There pf: is always a way. ::: Years ago, new virus technologies (new ways of spreading, new polymorphism, metamorphism, ...) have been discovered and developed by hobby virus writers. Nowadays there are very few hobbyists and most of the malware is written by professional/criminals. What has changed due to this shift in the development of new technologies? Do still encounter polymorphism or metamorphism in such widespread worms? pf: One of the main things that has changed is that we almost never see widespread worms pf: anymore. That's really because such a thing draws a lot of attention to itself, which pf: defeats the purpose of staying for a long time on a machine in order to make the most use pf: of it. However, we do encounter polymorphism in the other things that we receive. pf: Interestingly, the complexity of the polymorphism is far less now than it was at the peak pf: of the hobbyist development. The metamorphism seems non-existent now. The closest thing pf: that we see would be the source-level garbage insertion, allowing widely differing static pf: binaries all based on a single original source code. Something like W32/Apparition, but pf: it's all produced on the servers, so each victim has a unique binary. The main focus pf: of malware authors now seems to be anti-emulation technologies, because no matter how pf: polymorphic you make your code, if we can emulate to the point where it decrypts to pf: something constant, then we can see that and we can detect it. ::: What might be the worst case in your opinion? A worm using a 0-day exploit to spread over internet, using a hardware-rootkit and self-modifying techniques which forces you to sleep under your desk again? pf: I think that those days are long gone. I doubt that I will ever have to sleep under pf: my desk again while working on a detection, and I suspect that no-one else will, either. ::: What do you think about academic virus research, such as magazines like "Journal in Computer Virology", and by researchers like Eric Filiol and Marc Stamp? pf: Obviously, I'd prefer that they focus on the other side of that research - not pf: "here is a new virus which does X, try to defeat it". Instead, "given a new pf: virus which does X, here is how we might defeat it". ::: How is the anti-virus scene today? Are there some people you specially respect for their knowledge or technique they wrote or designed? pf: Yes. :-) ::: What's the difference of AVer working day as is today compared to 5 or 10 years ago? pf: In many ways, it's the same, only the volume has increased. One difference pf: is that the volume includes floods of exploits, trojans, backdoors, not pf: nearly as many viruses as before. The focus has changed from writing for pf: "fun" to writing for profit. Obfuscation technologies have improved a lot, pf: so we might spend a large part of some days defeating a new anti-emulation pf: trick. ::: Please, describe to us the usual anti-virus researcher day. :) pf: That is perhaps a bit hard, because I am not the usual anti-virus researcher. pf: My day is mostly thinking about what virus writers might do next, and what I pf: might do about that. ::: And what are they going to do next? ;) pf: I'm still thinking about that. ;-) ::: Have you ever met a virus writer in real life? Would you? pf: I have no idea. Would they tell me? ::: In 2008 you joined in Microsoft. What are the main differences compared to working on Symantec? pf: It's a quite different job. I can't really compare them. However, you can see pf: that I'm writing more texts than before - more articles, more presentations. ::: Is it important for AV researchers to watch the old-school virus writing scene? Do you check viruswriters homepages and forums regularly? pf: I would not say that it is important, but it can be interesting. pf: Yes, I check viruswriter homepages and fora regularly, to see what is going on pf: there. I hate surprises. ::: What do you think about former virus writers that were hired by AV companies? This has been heavily criticized, do you think that it is a good deal to hire someone who's been in the other side of the "business" for quite some time? pf: I think that it's a stupid idea. Writing a virus does not prepare you in any pf: way to write anti-virus software. They are completely separate fields. Worse, pf: we can't trust such a person to behave, because they have already shown that pf: they lack the right ethics. ::: Why do we lack the right ethics? Why do you think its ethically wrong to write (not to spread) proof-of-concept viruses, and even release source code such that security researchers can easily find countermeasures and thereby increase their knowlegde and improve their products? Isn't that similar to mathematicians /cryptoanalysts which find flaws in SHA2 or PGP and publicly announce that? Do these people also lack the right ethics? pf: It's the opposite of cryptanalysts finding flaws. Crytographers are creating pf: the solution, which cryptanalysts verify. Virus writers are creating the pf: *problem*, which anti-virus engineers work to solve. The difference is clear. pf: The anti-virus industry would not exist if there were no virus writers. ::: What are your thoughts on laws that prohibits malware programming, and the act of spreading it? Do you also think this should be applied for POC virus writers? pf: There is no need to write any viruses. You can demonstrate any idea - pf: vulnerability, file modification, EPO, etc - without using code that replicates. ::: Surprising answere! Lets imagine demos are prohibited one day, would it be the same to explain your techniques? On the other hand, aren't there techniques which can just be demonstrated using self-replication (like complex infection technique (ZMist or RELx) or evolutionary attempts which intrinsically need replication)? Don't you think that prohibiting *writing* of computer viruses is similar to prohibiting codebreaking/cryptoanalysis? And last but not least, how else would you draw the attention of AV researchers on your work then by without adding self-replication? pf: Talking about prohibiting demos misses the point. We can demonstrate an effect pf: without it copying itself to everyone's machine. pf: Insertion can be demonstrated without replication. Simply request any file and pf: insert there, but the inserted code should not request more files. pf: Even evolution can be demonstrated by rewriting the same file, not by attaching pf: to other files. pf: No, I don't "think that prohibiting *writing* of computers viruses is similar to pf: prohibiting codebreaking/cryptoanalysis". As I said earlier, writing a virus is pf: contributing to the problem, not to the solution. pf: Why would you want to draw the attention of AV researchers? pf: There are plenty of publications that would accept research into techniques pf: relating to code rewriting or file format tricks. ::: What is your opinion on very big libraries on computer virus writing and technology such as VX Heavens? Do you appreciate the enormous sorted archive (which also contains most of your research and analysis papers), or do you think it's dangerous to give everybody access to this potential dangerous knowlegde? pf: It's the dual-edged sword. While the information is freely available all over the pf: place anyway, both good and bad, having it in one place makes it very convenient. pf: Of course, I'd prefer that none of it existed, but I don't get to choose. ::: Many anti-viruses do not care about real detection; often just detect some decryptors/unpackers- whether the file is malicious or not. Heuristic of several AVs is very vague (a lot of false detection), too. Do you think this is more an advantage (as many viruses are detected from the scratch) or a disadvantage (as it may lead to uncontrollable behaviour in future such as detection+destruction of native windows files (as it already happened with Win32.CTX with McAfee))? pf: It's the trade-off that we make in order to cope with the flood of malware. pf: The days of exact detection are long gone. ::: There seems to be a new trend in AV industry, which is whitelisting "goodware" instead of actually detecting malware. Do you think that this paradigm shift is a necessary countermeasure against the glut of worms and trojans, or is it just the "easy way" for AV vendors as it's a low-tech approach? What might be the effects on private developer, small software companies or OpenSource software? pf: It's probably safe to say that the rate of increase in good programs is lower pf: than the rate of increase in bad programs. Therefore, we have less work to do pf: if we switch from blacklisting to whitelisting, and we increase security at the pf: same time. For the producers of programs that are not shared widely, they can pf: always submit their works to us for exclusion. That's not the ideal scenario, pf: but it is an unfortunate result of the situation. At least they have the option, pf: and it's not as though we are reporting all unknown files as malicious. pf: Unknown files are simply unknown. ::: You were part of Microsofts analysis team of Stuxnet. What were your thoughts when you first realize the complexity of that code? How much time did it take to fully understand that beast? Did you find any bugs in it? pf: My thoughts regarding the complexity? "oh, this is going to take a while". :-) pf: I don't think that even now anyone actually understands it *fully*. pf: Yes, I found two bugs, one major, one minor. The minor one is the misuse of an pf: API. The authors passed the wrong parameter type to a function, resulting in pf: a false return instead of a true one in a particular case. However, it doesn't pf: affect the execution flow, because the next thing that they attempt will fail pf: in the environment where the API should have returned true. pf: The major bug is a race condition in one of the exploits, resulting in a blue pf: screen whenever it triggers (which is presumably not that often, since no-one pf: else seems to have noticed it). ::: Do you think we will see more cyber weapons of this kind in future? Is there a way to effectivly protect against it? Any guesses who made it? pf: I don't consider Stuxnet to be a "cyber weapon". It's just another targeted pf: attack. They have existed for years, and will continue to be written for years pf: to come. There isn't an effective protection against it because it's targeted, pf: so the attackers know exactly what the environment looks like, but we don't. pf: No guesses who made it. pf: I don't know, I don't need to know, and I don't want to know. ::: In October 2011 the CCC released an indepth analysis of Germany's Federal Trojan horse (Bundestrojaner/0zapftis). What is your opinion on this case, and on the quality of this spyware in contrast to spyware used by non-governmental criminals? pf: It was a misguided act that it was written in the first place. However, I am not pf: sufficiently familiar with German law to know if it's allowed to place software pf: on a system during a raid, which can be used later to gather information. Of course, pf: if you're not committing a crime then the information won't be any use. It's not like pf: planting drugs in a house and then raiding the house to find them again. ::: Do you think such governmental spyware should be detected by AV scanners? Have you or one of your colleague got a request from some government agency to not detect specific software? pf: Spyware is spyware, it should be detected regardless of the authors. pf: I can't say if we have received such a request. ::: Look into the future: what do you expect in near 3 to 5 years, and far beyond, maybe in 10 years, to happen with viruses and how will AVs continue to work. pf: The future is now. I expect to see more of the same, or perhaps I should pf: say *more* of the same. Much more. Malware on other platforms like phones pf: and other hand-held devices will be quite common. Running AV on those pf: devices will be quite hard. sigh. ::: What's your plan for the future - as security researcher and private? pf: More of the same, until I'm too old to do it anymore.