Job Description

On the FLARE (FireEye Labs Advanced Reverse Engineering) team we see malware in many different file types. One file type that has increased in popularity over the years is .NET executable files. Traditionally, .NET malware is obfuscated using commercial tools to make them difficult to analyze. However, we have successfully used open source tools to deobfuscate the malware and analyze the result. Modern .NET obfuscators use various tricks to bypass current deobfuscation tools and make decompiling the malware fail.    The goal of the intern project will be to update current open source tools or create new tools to handle deobfuscation of these new obfuscation techniques.    To accomplish this project the intern will first work with a reverse engineer to understand the .NET runtime environment, the normal workflow used by FLARE when analyzing a .NET sample, as well as FLARE’s current approaches to deobfuscating .NET samples, and cases where this deobfuscation fails. To complete the project the intern will use an existing FLARE project as a prototype to either improve or as inspiration for a new tool to address samples where our current deobfuscation techniques fail. A successful plugin will directly increase the capacity of the FLARE team to analyze malware. 

RESPONSIBILITIES

The goals of the FLARE intern are twofold: to provide an opportunity to introduce the art of malware analysis, and to improve the capacity of the FLARE team. A successful intern will study reverse engineering resources, including the courses offered by Mandiant, so that they may attain the title of "Reverse Engineer" and be considered when applying to the FLARE team. The FLARE team has a strong history of converting interns into full time employees that tackle malware in support of our clients. The successful intern will also develop useful tools and processes that augment the capabilities of the FLARE team. This team is flooded with requests to analyze malware to support investigations, client requests, and detection. The plugins that the intern writes will enable the FLARE team to reverse engineer more malware samples. Prior FLARE team interns have demonstrated measurable enhancements to the teams processes, including state-of-the-art packer detection, IDA Pro disassembler plugins, and symbolic emulation tools. Our goal is to produce more of the same.

Qualifications

• Development experience in C or Go.
• A general understand of reverse engineering and malware analysis is beneficial, but not strictly required.
• Ability to take direction to perform independent research.
• Basic understanding of Windows and Unix operating systems internals
• Experience with X86 and AMD-64 assembly and system architecture

Additional Information

_All qualified applicants will receive consideration for employment without regard to race, sex, color, religion, sexual orientation, gender identity, national origin, protected veteran status, or on the basis of disability. _