Virustotal’s New Endpoint Provides Functionality Descriptions for Malware Analysts’ Code Requests

Designed to streamline reverse engineering workflows, the new API endpoint pre-analyzes disassembled or decompiled code and highlights behaviors most relevant to malware hunters. 

Early adopters report significant reductions in manual triage time, allowing analysts to focus on complex investigation steps rather than boilerplate documentation.

Key Takeaways
1. The analyze-binary endpoint returns AI-generated summaries and detailed descriptions of code snippets.

2. It learns from analyst-approved history to refine insights over time.

3. VT-IDA Plugin integration builds a persistent CodeInsight Notebook in IDA Pro.

New Endpoint Overview

The new endpoint, api/v3/codeinsights/analyse-binary, accepts a JSON payload containing Base64-encoded code blocks alongside metadata for context. Payload parameters include:

Upon receiving a request, the endpoint returns two fields:

A concise overview of the function’s purpose, such as network I/O routines or anti-debugging logic. A detailed breakdown of control flow, API calls, string references, and potential obfuscation techniques.

By chaining previous requests in the history array, the service builds a contextual model that learns as the analyst iterates. 

For instance, if an initial query flags a custom XOR routine, subsequent analyses incorporate that knowledge to identify similar patterns more accurately, Virustotal said.

This chaining capability differentiates Code Insight from standalone static analysis, as the endpoint effectively “remembers” and refines its insights based on user-provided feedback.

Integration into IDA Pro

To demonstrate real-world utility, VirusTotal updated its VT-IDA Plugin to leverage the new endpoint directly within the IDA Pro interface. 

Malware analysts can now select a function in the disassembly or decompiled view, invoke the plugin, and receive instant insights without leaving their reverse engineering environment. Key features include:

• Analysts can approve or modify the summary and description, capturing corrections or additional context.
• Approved analyses populate a notebook that persists across sessions, ensuring institutional knowledge is retained.
• Each plugin invocation sends the entire notebook history, enabling the endpoint to produce richer, more accurate analyses over time.

This endpoint marks a significant leap in integrating LLM-powered AI into traditional reverse engineering tools. 

By automating the preliminary review of code blocks and learning iteratively from analyst feedback, Code Insight reduces repetitive tasks and accelerates threat discovery. 

Although currently in trial mode, early feedback from the security community has been overwhelmingly positive.

As VirusTotal refines the service, analysts can expect broader format support, enhanced accuracy, and deeper contextual awareness, all aimed at empowering defenders in the ever-evolving malware landscape.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.