13 replies to this topic

[Super Mario]

Hello,

I need your help with making serious decision about my future.

I'm young computer programmer (C\C++\C#...), "better than average" I believe RCE has been my hobby nearly since I started programming. I find it more interesting than traditional topics of "traditional" programming. But now I have less and less time for my hobby, and it's probably time to make the decision for my life: whether I want RCE as my professional area of occupation, or not.

My RCE skills are not "pro" really, but fairly above the "novice" I think. I use OllyDbg and Ida as primary tools. I'm able to unpack manually asprotect-level of packers, have experience of dealing with various "exotic" areas of RCE, like hw dongles, COM reversing, etc. Now I want to become full-time reverser from programmer But I don't know if that would be the right choice for my career. Experienced people, please help me with following questions, my future depends on them:

1) I think primary field that reverser's career might be associated with is AV companies. I want to know, in terms of salary, how are the jobs of average "malware researcher" respected? Does average "malware researcher" has higher salary than average application programmer, or maybe lower? What are the approximate salaries in US and in EU countries for such reversers? In other words, are they considered "high profile jobs", or "low profile jobs"? Is it worth investing my time into this (moving from programming world into reversing world), assuming I can always have "ordinary" career as "ordinary" programmer otherwise?

2) Is it hard to find a job as a "malware researcher" (reverser)? I mean, is there a deficit of "young talents" in corporate world of RCE, or is there proficit? Are AV companies constantly searching for new reversers, or do they always have enough number of "wannabe-reversers" so that there's stiff competition?

3) What skills and abilities do I have to own, to be interesting for top AV companies (Kaspersky, Mcafee, etc.) for such a job? Maybe I already can qualify, maybe I'm so far from the required level that it's not even worth thinking about it, I don't know. Should I be able to unpack top-notch protectors like Themida, devirtualize their VMs, etc., or is it something "advanced" which is only applicable to "very-highly-payed" professionals. Shortly, what skills do I need? How to know that I'm "ready"?

4) To achieve the required level (whatever you propose for above question), what do you suggest me to do? I'm trying to master commercial protectors (like Asprotect, Armadillo, for the beginning...), is this the best way to "train" myself, if I want to be what they call "malware researcher/analyst"? Do you propose something else?

5) I have to start working on my academic "dissertation" project soon. I want to be around RCE, so I was planning to base my research on unprotecting top few commercial protectors. Please see this topic: http://forum.tuts4yo...43-is-it-legal/ But a good man suggested in that topic that it was not very good idea to focus on commercial protectors. Can you propose anything better? I want to acquire as much RCE skills in the process as possible (to lately use them for qualifying for reverser jobs), so I saw it as good possibility. But I have doubts now. Could you please give advice in this regard as well.

Thanks in advance! I really need your suggestions!

[quosego]

Good questions actually, no idea. I've never worked for an AV company. But there's people around here that have, not as many as you might guess though, perhaps they can help you.
If I can get a highly payed job being able to unpack themida.. count me in.

[chickenbutt]

I have an old russian friend who works for a german and russian based AV vendor, he does about 75k a year USD, but he says it's not just malware work, most AV companies also do infrastructure consulting and implementation behind the scene, that's actually where they make all their money about. They also do tooling for automation most days on cloud and testing networks owned by the vendors.

I'm super intrigued about RCE, but all I have time to do is non-VM protectors and very light keygenning on x86(and rarely that). Back when I was unemployed I did a lot of the first work on ARM analysis(before it was popular with cell phones). I also did a automated inlining tool for a old disc protector that used TLB manufacturing crypto and deflate to virtual map. Now days I'll keygen a simple non-crypto algo in some shareware or look at new VM tech, but it's mostly dev work for me.

@quosego: TheMida encrypted VM handlers+mutations are way harder than getting code execution on LPAR and DMA RSA protected PPC and ARM hardware, and that's getting college dropouts 200k a year jobs at companies like facebook..

You could also do a PE protector off what you know. If nobody did olly scripts for it you could hold the nuker teams off pretty easy..

[Super Mario]

Thanks for replies.

But... No other opinions?..

[kao]

Disclaimer: all views expressed in this post are my own. I'm just a human, I might be horribly wrong.

As I mentioned earlier in another thread, AV companies currently get cca.55000 samples a day. RE skills are not the primary requirement in that business anymore. What they need is automated systems for analyzing files, and lots of trained monkeys to sort out the rest.
Malware analyst is exactly that. Trained monkey that uses existing tools to classify file as fast as possible and move on the the next one. Salary - usually on par with (junior) developer [1]. "Malware researcher" is definitely a better position than malware analyst, usually you'd do detailed analysis of malware family, maybe publish on company blog, maybe make presentation for some AV conference. Some companies also infiltrate in botnets to analyze them, etc, etc.

The question is - do you really want to analyze malware crap for the rest of your life?

If you want to focus on reversing, I would suggest that you look at vulnerability research. It's more demanding job (you need to come up with novel ideas and develop your own tools) and usually better paid [2]. It also offers much bigger variety of platforms, whereas malware is predominantly windows executables.

And then there is a gray market. Making private game servers, mobile phone unlocking, hw dongle emulation, game bot creation - all of them involve great deal of reversing and - if you get lucky - payout is pretty good. The choice is up to you.

As for skills - read the job ads. The requirements are usually pretty detailed.

As for dissertation - in some countries universities have cooperation with security companies. Company comes up with topics for research that could be done as a dissertation, student does that as a part-time job. Worth a try.

Cheers,
kao.

[1] Data from Sophos UK - one of the rare companies that shows approx. salaries in their job ads.
[2] http://www.infosecin...re-analyst.html , http://www.infosecin...h-engineer.html

[Aguila]

You get better paid if you develop protection systems (especially protection systems for b2b applications), reversing is actual a "bad" skill because it is usually illegal. You don't have much possibilities to earn legal money (different in each country, but in most countries illegal).

As already mentioned, even AV companies don't reverse a lot of malware. Usually they only focus on the popular ones (like stuxnet) and write some nice whitepaper about them. But analyzing malware is not very difficult.

I know a rather young company, they develop a license protection software for b2b applications. The software is "ok", not very secure in my opinion, but still they earn a lot of money with it and they have already a lot of customers. The software is very expensive, not really secure, but it is perfect for b2b applications. Themida is very cheap, really secure and probably a good solution for end-user-software, but useless for most needs.

[deepzero]

b2b == business to business?
what`s its advantage over themida?
(are we talking about PE files here?)

[Aguila]

yes business to business software.

Quote

what`s its advantage over themida?

In b2b applications you have other license models than in end-user-software. Themida/Winlicense is very limited. In b2b application you don't have problems with cracks, but probably problems with license overuse/misuse.

e.g. you want to choose the harware id types, you want transparent harware id binding (not hidden from customer), you want a special flooting license (transaction based licensing).

Quote

(are we talking about PE files here?)

multi-platform support is a big advantage.

[deepzero]

Interesting, and an aspect i ve never considered before...
i would have thought the amount of end-user-soft hopelessly outweighs the amount of b2b apps, making it financially unattractive.

Which protection software were you talking about?

[Aguila]

I don't want to tell the name here^^

but you can look e.g. at https://www.wibu.com . Probably one of the most expensive software protection systems. They target b2b applications, although their dongle protection is very strong.

[chickenbutt]

Strong dongle and press protectors are only secure if a team can't get the media and rebuild the binary off the volume or block data.. SecuRom is super secure without a disc..

Also security firms and vendors only recruit exceptional talent or credentials..unless you social network in like with some unnamed russian AV vendors. A competitive AV product can take months or years of solid development, and exploit dev months of daily effort. People who publish major vulnerabilities under top firms are lucky to hit six figures, some only 50k if they're lucky

[rendari]

@chicken_butt & Super Mario: Well if you're stateside and from around the Bay Area, PM me some of your past work and we can talk

quosego you're invited as well of course ^^ Long time to no see btw.

Edited by rendari, 02 November 2011 - 06:54 PM.

[deepzero]

Quote

People who publish major vulnerabilities under top firms are lucky to hit six figures, some only 50k if they're lucky

O_o
I dont know how much 50k/year is in comparison to other jobs, but considering the prices for 0days on the blackmarket, i could imagine how and why some find their way into shady forums...

[chickenbutt]

deepzero, on 02 November 2011 - 07:00 PM, said:

O_o
I dont know how much 50k/year is in comparison to other jobs, but considering the prices for 0days on the blackmarket, i could imagine how and why some find their way into shady forums...

50k USD is a good engineering job in America. Because of euro it's like ~80k in europe.

I can bet that the big talents here and on SnD probably don't make that much unless they do something besides development or consulting..I'm an independent contractor in engineering who does ok in a bad economy.

Also exploit kits don't make much because they are privately sold and usually end up ripped. Look at the blackhole kit..