Virustotal today unveiled a powerful addition to its Code Insight suite: a dedicated API endpoint that accepts code snippets—either disassembled or decompiled—and returns succinct summaries and detailed descriptions tailored for malware analysts.
Launched over two years after the debut of Code Insight at RSA 2023, this endpoint represents a significant step toward automating reverse engineering workflows and integrating AI-driven analysis directly into popular disassembly tools.
Traditional reverse engineering requires analysts to manually trace code paths, infer behavior, and document findings—often a tedious process when dealing with complex or obfuscated binaries.
Virustotal’s new endpoint, api/v3/codeinsights/analyse-binary, dramatically reduces this burden by:
- Receiving a Base64-encoded code block and its type (
disassembledordecompiled). - Optionally ingesting a history of prior queries and analyst-edited responses to provide context.
- Returning two fields:
- summary: a high-level view of the function’s purpose.
- description: a step-by-step explanation of its inner workings.
By chaining successive requests—with each including analyst-approved edits—Code Insight “learns” from the investigation, delivering progressively more accurate analyses and helping discover hidden behaviors more efficiently.
Let’s illustrate the benefits of the new plugin with a practical example. Imagine an analyst needs to analyze a malicious binary file to understand its function.
To demonstrate seamless adoption, Virustotal has updated its VT-IDA plugin for IDA Pro, embedding the new endpoint directly into the disassembly interface.
Accepted analyses populate a “CodeInsight Notebook,” where summaries and descriptions can be refined and used as context for subsequent queries.
An analyst exploring a suspicious binary might:
- Select an obfuscated function suspected of implementing an anti-debugging routine.
- Send the disassembled snippet to the endpoint and receive a summary identifying a hidden jump technique.
- Notice the description omits the eventual return address calculation, then edit the text to include that detail.
- Accept the edited analysis, adding it to the Notebook so future queries leverage this enriched context.
As the Notebook grows, the AI assistant refines its output—surfacing nuanced behaviors such as string translations or memory-map references that would otherwise require manual cross-referencing.
Practical Benefits and Visual Aids
In trial testing, analysts reported up to a 40 percent reduction in time spent on initial code triage, with the endpoint rapidly flagging interesting functions for deeper investigation.
Analysts simply highlight a function, invoke the plugin, and receive AI-powered feedback without leaving their workflow.
The VT-IDA plugin also highlights non-English strings in assembly, translating them and pinpointing their memory offsets—crucial for understanding localization or command-and-control directives embedded in malware.
Switching to decompiled views further enriches analysis. While disassembly exposes raw opcodes and literal data, decompiled code offers clearer control-flow structures.
The endpoint leverages both representations: previously analyzed disassembled functions inform decompiled analyses, resulting in concise explanations that combine the best of each view.
Community-Driven Trial
Currently available in trial mode, both the endpoint and VT-IDA plugin invite community feedback to refine accuracy and expand coverage.
Virustotal cautions that AI-generated descriptions may occasionally miss edge-case behaviors or contain minor errors, underscoring the importance of analyst review.
As more analysts contribute edits and suggestions, the system’s proficiency is expected to grow.
Looking ahead, Virustotal plans to extend Code Insight to additional file formats and reverse engineering platforms, solidifying its role as an indispensable assistant for malware researchers.
Analysts are encouraged to experiment with the endpoint, share feedback via the public GitHub repository, and stay tuned for upcoming enhancements that will further integrate AI into the reverse engineering lifecycle.
Virustotal’s new code analysis endpoint marks a notable advance in marrying large language models with traditional disassembly tools—empowering malware analysts to work smarter, not harder, as they unravel increasingly sophisticated threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
