Watch the stream
A full malware analysis is quite long to perform. Depending on its complexity and the desired level of details, it takes between half a day and 10 days. Can we speed up the process with assistance from Artificial Intelligence (AI)? Will the quality of the analysis be good enough?
I started the research open minded, not knowing whether the outcome would be positive or not. For my tests, I collected recent Linux and IoT malware that I had never worked on before, and analyzed the binaries with r2ai. The r2ai project handles the communication between r2 - the Radare2 open source disassembler - and a LLM. The results were astonishingly good. The main functions of the malware were often decompiled in a very correct and understandable manner. We can even get the AI to defeat obfuscation mechanisms. Personally, I hadn't expected the AI to be that good, but - as with everything? - there were many caveats:
- You cannot expect the best results in a single go. Using an AI is comparable to team work with a smart intern. You need to discuss and guide the AI towards what you are interested in.
- The AI is very convincing, but you should not trust it blindly (never!). You need to check everything it claims. Hallucinations are the best known issues, but we also need to take care of omissions (very frequent) and exaggerations.
- Costs are usually controlled and very low, but in some cases, they can grow a bit too quickly if you do not pay attention to the amount of data you send to the AI.
In this presentation, I will show how to use r2ai over recent versions of Linux/Ladvix (aka Rhomba, Ebola) and a Linux shellcode of March 2025. We will tackle the 3 issues we mentioned previously, and see how to get the best results, spot hallucinations etc while keeping costs below 10 dollars.
Expect several demos.