VirusTotal Code Insight: AI-powered malware analysis feature
VirusTotal announced the launch of Code Insight, a new feature of the malware detection and analysis platform, which uses AI to analyse code and provide information on detected threats.
One of VirusTotal's core features is that it checks uploaded files against dozens of different antivirus engines. It is a public service, but additional features are only available for users who create an account or pay VirusTotal for access.
VirusTotal listed the results of its scans immediately to the user. Detected hits revealed how the maker of the antivirus engine classified the threat, but things stopped there.
The new VirusTotal Code Insight feature goes a step further. It uses artificial intelligence, more specifically Google's Cloud Security AI Workbench, to analyze the malicious code. The new Detection tab on VirusTotal's scan results page provides the information of that analysis.
Here is a an example to highlight the output. Code insight can be very specific. In this case, VirusTotal revealed that the "code is a Discord bot that attempts to steal Discord tokens from users". Further explanation is provided, and VirusTotal notes on its blog that the "functionality empowers security experts and analysts by providing them with deeper insights into the purpose and operation of analyzed code".
The blog post offers some insights on how Code Insight works behind the scenes: "Code Insight is a new feature based on Sec-PaLM, one of the generative AI models hosted on Google Cloud AI. What sets this functionality apart is its ability to generate natural language summaries from the point of view of an AI collaborator specialized in cybersecurity and malware. This provides security professionals and analysts with a powerful tool to figure out what the code is up to."
Code Insights' analysis is independent of any antivirus solution. The feature analyses the code of the uploaded file and uses this analysis to provide information to users. This means, that Code Insights may detect threats that the antivirus engines do not detect, and that it may also detect no threats, when antivirus engines detect threats.
The new code analysis feature is limited to PowerShell scripts currently. Files that are similar to previously processed files and excessively large files are excluded from the scan for now. Virustotal notes that this approach guarantees an "efficient use of analysis resources".
The company plans to add support for additional file formats in the coming days, but has not yet revealed the filetypes that it plans to add.
Closing Words
The new Code Insights feature of VirusTotal improves the service significantly. While limited to PowerShell files currently, additional filetypes will be added regularly by VirusTotal to expand the feature further.
It is designed for security researchers and professionals for the most part, but anyone may benefit from the feature, as it provides another perspective.
Now You: do you use Virustotal?
Sadly, I have found the VirusTotal site to be unusable.
Their RECAPTCHA app doesn’t stop hounding me.
It’s so annoying I have stopped the site.