paint-brush
How to Use ChatGPT for Malware Analysis by@anyrun
1,252 reads
1,252 reads

How to Use ChatGPT for Malware Analysis

by ANY.RUNOctober 11th, 2023
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

How exactly is AI useful in addressing malware attacks? Let’s focus on three tasks that can be greatly facilitated with the help of an AI assistant.
featured image - How to Use ChatGPT for Malware Analysis
ANY.RUN HackerNoon profile picture

Since the dawn of the digital age, malware has been a constant concern to computer systems. In fact, every technological advancement provided threat actors with additional tools for making their creations more sophisticated and destructive. However, a year into the new era marked by the rise of generative AI, it seems this trend is reversing, as cybersecurity professionals are now becoming the main beneficiaries of solutions like ChatGPT.

How exactly is AI useful in addressing malware attacks?

The seemingly limitless capabilities of ChatGPT make it a highly versatile instrument, suitable for numerous scenarios in cybersecurity. To demonstrate, let’s focus on three tasks that are performed practically by every malware analyst, and that can be greatly facilitated with the help of an AI assistant.

1. YARA rules creation

YARA rules are an essential mechanism for detecting malware based on certain patterns. To ensure proper threat coverage, analysts need to write many of these, and doing it is hardly a walk in the park, especially in terms of the time needed.


Thankfully, ChatGPT can significantly accelerate and largely automate the entire process by printing such rules on the spot. All one needs is to provide the chatbot with proper instructions. Of course, in most cases, a little touch-up will be required.


Although it makes occasional errors, ChatGPT can be helpful for YARA rule writing. 


Here, ChatGPT failed to specify that strings can be in 2 encodings, ASCII and wide and missed an extra question in the $str4 string. Yet, for a rule produced basically in seconds, it is impressive and extremely useful for speeding up the workflow.


Use the prompt to create your rules with ChatGPT:


GPT, could you help me write a YARA rule? I am trying to detect a specific malware
sample which has the following characteristics:
[REPLACE WITH CHARACTERISTICS].
How can I write a YARA rule that accurately identifies this malware?
Do not explain about YARA, provide a rule, following with an overview of the logic.


2. Suricata rules writing

Suricata rules are another part and parcel of effective malware detection and analysis. In this regard, ChatGPT also proves to be a nifty tool, offering variants that are almost as good as those written by a junior analyst.


ChatGPT may be subpar at Suricata rules, but it can help you get started. 


As it becomes clear from the example, the chatbot still has room for improvement, but by treating its results as a rough draft that can give you a foundation to build on, you can once again save a great deal of time.


Use this prompt to generate your rules:


ChatGPT, please generate a Suricata rule that detects [YOUR CONDITION].

Use the following information if provided:

Options: [options]

Actions: [actions]

Headers: [headers]

Please note that these elements may not always be provided. If none of these

details are given, please create a rule that just detects [YOUR CONDITION].


3. Understanding malicious activities

Still, the key use case for ChatGPT when it comes to malware analysis is the ability to learn more about specific actions undertaken by different threats. For instance, in the example below, we asked the chatbot about the ways malware can exploit the legitimate utility w32tm.exe, and it gave a solid response.


ChatGPT can offer a good hint for what you need to do to ensure proper detection. 


In fact, you can access such information in a more convenient way by using the free ANY.RUN sandbox. The service is intended for analyzing files and links through direct interaction in a safe cloud Windows VM.


It not only detects malicious network traffic, processes, and registry changes but also lets you gain additional insights into the objects of your interest, including triggered Suricata rules, using its built-in ChatGPT feature.


An AI-generated report on a malicious process detected by ANY.RUN 


Thanks to this, you can get a comprehensive understanding of how and why malware performs certain activities and what that means for your infrastructure’s security. Check out the video below to see how the chatbot breaks down the commands entered by the malware in the command line and highlights their purpose.

Conclusion

For now, generative AI is by no means spelling doom for the entire malware industry. However, the likes of ChatGPT are clearly making it easier than ever for professionals to do their work, enabling them to respond to attacks faster and improve organizations’ security posture.


Integrating chatbots into routine workflows, particularly through platforms like ANY.RUN can be remarkably advantageous and serve to considerably boost your proficiency and efficiency as an analyst.


Explore ANY.RUN’s entire range of features, including your private team space, Windows 10/11 VMs, and API integration, using a 14-day free trial.