Watch the stream
May 15 02:30 PM EDT
Talks will be streamed on YouTube and Twitch for free.
A full malware analysis is quite long to perform. Depending on its complexity and the desired level of details, it takes between half a day and 10 days. Can we speed up the process with assistance from Artificial Intelligence (AI)? Will the quality of the analysis be good enough?
I started the research open minded, not knowing whether the outcome would be positive or not. For my tests, I collected recent Linux and IoT malware that I had never worked on before, and analyzed the binaries with r2ai. The r2ai project handles the communication between r2 - the Radare2 open source disassembler - and a LLM. The results were astonishingly good. The main functions of the malware were often decompiled in a very correct and understandable manner. We can even get the AI to defeat obfuscation mechanisms. Personally, I hadn't expected the AI to be that good, but - as with everything? - there were many caveats:
- You cannot expect the best results in a single go. Using an AI is comparable to team work with a smart intern. You need to discuss and guide the AI towards what you are interested in.
- The AI is very convincing, but you should not trust it blindly (never!). You need to check everything it claims. Hallucinations are the best known issues, but we also need to take care of omissions (very frequent) and exaggerations.
- Costs are usually controlled and very low, but in some cases, they can grow a bit too quickly if you do not pay attention to the amount of data you send to the AI.
In this presentation, I will show how to use r2ai over recent versions of Linux/Ladvix (aka Rhomba, Ebola) and a Linux shellcode of March 2025. We will tackle the 3 issues we mentioned previously, and see how to get the best results, spot hallucinations etc while keeping costs below 10 dollars.
Expect several demos.
Axelle Apvrille Principal Security Researcher, Fortinet
Axelle Apvrille is a Principal Security Researcher at Fortinet, Fortiguard Labs. Her research interests are mobile and IoT malware that she reverses every day. In addition, she is the lead organizer of Ph0wn CTF, an on-site competition which focuses on ethical hacking of smart objects. In a prior life, Axelle used to implement cryptographic algorithms and security protocols.
Axelle has spoken at many conferences such as Black Hat Europe, Confidence, Hack.Lu, Hacktivity, Insomni'hack, ShmooCon, Troopers, Virus Bulletin... NorthSec 2021 ;-) She has also published in academic journals such as IEEE Security & Privacy, or Journal in Computer Virology. She regularly writes in the French magazine MISC and Hackable, and has recently published in Phrack #71.