Tuesday, April 30, 2024

Analyzing Malware in Binaries and Executables with AI

In a recent post titled "From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis", published on the Google Cloud Security blog, we explore the capabilities of Gemini 1.5 Pro, which enhances malware analysis by processing up to 1 million tokens. This advancement allows the tool to analyze large amounts of disassembled or decompiled code in a single pass, providing a complete view of the malware's logic to produce verdicts and summary reports. The blog post highlights practical applications of this approach, using well-known malware such as WannaCry and also entirely new and previously undetected malware. These examples show that Gemini 1.5 Pro's reports are not based on pre-trained data of those specific samples but on its ability to analyze the code itself. For more details on how Gemini 1.5 Pro operates in malware analysis, we encourage you to read the complete post here.

At VirusTotal, Gemini 1.5 Pro has been effectively utilized in Code Insight to process macros in Office documents that exceed the token limits of traditional models. For instance, "PLEX.xlam" is the most recent file that, at the time of writing this paragraph, required the use of Gemini 1.5 Pro due to its long content. This file was flagged by several antivirus engines and two sandboxes. Code Insight conducted an analysis by extracting 34 macros, which resulted in 138,332 tokens. The detailed report from Code Insight provides a comprehensive understanding of the macros' functionalities. This analysis aids in clarifying the intentions behind these macros, helping to determine whether the security alerts indicate actual threats or potential false positives.

We will continue to deploy Gemini 1.5 Pro's analysis capabilities across various file formats and are actively working on scaling up disassembly and decompilation techniques to begin processing binaries, as demonstrated in the examples described earlier in this post. Our goal is to expand the scope of our automated malware analysis, enhancing our ability to handle increasingly complex threats efficiently.

We invite the community to collaborate in this initiative. If you have unpacking utilities, specialized models, or innovative ideas related to malware analysis, your contributions would be invaluable. Together, we can expand the boundaries of what is achievable in cybersecurity and strengthen our collective defenses against emerging threats.


Post a Comment