It’s pretty clear by now that AI like ChatGPT gives productivity a big push. Studies in all kinds of areas show that using chatbots ramps up efficiency, and this holds true in the realm of malware analysis as well.
Not long ago, we shared thoughts on how ChatGPT falls short when it comes to analyzing malware. We asked it to interpret and deobfuscate malicious code — it managed with simplified examples but fell short when faced with real-world scenarios.
So, as a malware analyst, ChatGPT isn’t taking your place just yet. But ChatGPT can be a real time-saver by helping with routine tasks.
In this article, let’s look at 3 examples of how you can use ChatGPT to boost productivity:
- Writing YARA rules
- Writing Suricata rules
- Understanding why/how adversaries exploit a program
(We’ve included prompts for you).
1. Writing YARA rules
At ANY.RUN, we occasionally use ChatGPT to speed up our YARA rule writing. What we particularly appreciate is that the AI even includes comments. This feature is a timesaver as it spares you the trouble of coming up with descriptive text. It will also help those of us who are not native English speakers.
It’s cool that we’ve got a YARA rule template with the lines of interest so quickly. It really simplifies the routine job. However, the chat’s answer needs to be checked and refined by hand:
- GPT forgot to specify that strings can be in 2 encodings – ascii and wide.
- It missed one extra question in the $str4 string because the original one probably needed 5 characters replacement.
- The chat did not write an optimal condition by listing $str1, $str2 etc., it could have just specified “all of them”.
Anyway, it speeds up work considerably.
What’s more, GPT helpfully clarifies the reasoning behind its choices in the follow-up section, aiding in the evaluation of its logic.
On the flipside, though, it can get a bit wordy sometimes and stray into an unasked-for explanation about what YARA is. Here’s a prompt you can use to counter that:
|GPT, could you help me write a YARA rule? I am trying to detect a specific malware|
sample which has the following characteristics:
[REPLACE WITH CHARACTERISTICS].
How can I write a YARA rule that accurately identifies this malware?
Do not explain about YARA, provide a rule, following with an overview of the logic.
2. Writing Suricata rules
We’ve noticed that ChatGPT can struggle with writing Suricata rules, and minor errors can pop up frequently. But more often than not, it comes up with results that are “almost there,” proving itself to be a handy time-saving tool.
It’s wise to steer clear of using GPT’s output directly in a production setting. But if you treat it more like a rough draft, it can certainly save you some typing. Bearing this in mind, here’s a prompt you could use:
|ChatGPT, please generate a Suricata rule that detects [YOUR CONDITION]. |
Use the following information if provided:
Please note that these elements may not always be provided. If none of these
details are given, please create a rule that just detects [YOUR CONDITION].
You can substitute [options], [actions], and [headers] with the specific details you want to include in the rule. If you don’t want to specify any of these, just leave them blank. GPT will figure out that no extra details are supplied and will focus on creating a rule for your baseline condition, like an HTTP POST request without a User-Agent header in our example.
3. Understanding why/how adversaries exploit a program
For instance, we came across a signature written for a w32tm.exe. But how can adversaries take advantage of this legitimate utility? Asking ChatGPT can be a quick method to gain preliminary insights.
You don’t really need a prompt template for this one, but here’s one just for good measure:
|Hello GPT, please explain how adversaries can exploit ____|
General Tips for Using ChatGPT
When you’re working with ChatGPT (or any chatbot, for that matter), there are a few things you should remember:
- Provide context. We’ve discovered that the quality of the response you get relates directly to the amount of context you provide. So don’t just throw orders at it. Instead, explain your reasoning and share as many details as possible. If GPT gets lost, it remembers the conversation history, so getting it back on track is typically swift and easy.
- Filter prompts for sensitive data. It’s uncertain what happens to your data when you share it with ChatGPT. At the very least, it’s visible to the folks at OpenAI, so ensure you don’t accidentally reveal sensitive information during your AI chats.
- Stay courteous. Sure, it’s just a text-assistant right now, but who knows what the future holds? Maybe it’ll take over the world one day. So, let’s play it safe and be kind to it.
Over to you
Did we overlook a handy ChatGPT capability? Do you use it in your work? We’re genuinely curious to know, so feel free to share your experiences in the comments below. We’re sure it’ll help others streamline some of their routine tasks as well.