VirusTotal has recently launched a new API endpoint designed to assist malware analysts by providing detailed functionality descriptions of code snippets. This addition to the Code Insight platform aims to streamline reverse engineering workflows by pre-analyzing disassembled or decompiled code and highlighting behaviors most relevant to malware hunters.
Key Features of the New Endpoint:
1. AI-Generated Summaries: The `analyze-binary` endpoint returns concise overviews of a function’s purpose, such as network I/O routines or anti-debugging logic.
2. Detailed Descriptions: It provides in-depth breakdowns of control flow, API calls, string references, and potential obfuscation techniques.
3. Learning from Analyst Feedback: The endpoint refines its insights over time by learning from analyst-approved history, enhancing the accuracy and relevance of its analyses.
4. Integration with IDA Pro: VirusTotal has updated its VT-IDA Plugin to integrate the new endpoint directly within the IDA Pro interface, allowing analysts to receive instant insights without leaving their reverse engineering environment.
How the Endpoint Works:
The new endpoint, accessible at `api/v3/codeinsights/analyse-binary`, accepts a JSON payload containing Base64-encoded code blocks alongside metadata for context. Upon receiving a request, it returns two fields:
– Summary: A concise overview of the function’s purpose.
– Description: A detailed breakdown of the function’s behavior, including control flow, API calls, string references, and potential obfuscation techniques.
By chaining previous requests in the history array, the service builds a contextual model that learns as the analyst iterates. For instance, if an initial query flags a custom XOR routine, subsequent analyses incorporate that knowledge to identify similar patterns more accurately.
Integration into IDA Pro:
To demonstrate real-world utility, VirusTotal updated its VT-IDA Plugin to leverage the new endpoint directly within the IDA Pro interface. Malware analysts can now select a function in the disassembly or decompiled view, invoke the plugin, and receive instant insights without leaving their reverse engineering environment. Key features include:
– Analyst Feedback: Analysts can approve or modify the summary and description, capturing corrections or additional context.
– Persistent Notebook: Approved analyses populate a notebook that persists across sessions, ensuring institutional knowledge is retained.
– Enhanced Accuracy: Each plugin invocation sends the entire notebook history, enabling the endpoint to produce richer, more accurate analyses over time.
Impact on Malware Analysis:
This endpoint marks a significant leap in integrating large language model (LLM)-powered AI into traditional reverse engineering tools. By automating the preliminary review of code blocks and learning iteratively from analyst feedback, Code Insight reduces repetitive tasks and accelerates threat discovery.
Although currently in trial mode, early feedback from the security community has been overwhelmingly positive. As VirusTotal refines the service, analysts can expect broader format support, enhanced accuracy, and deeper contextual awareness, all aimed at empowering defenders in the ever-evolving malware landscape.
