ML 191: Detecting Malware with PAI (15 pts extra)

What You Need

A virtual machine running Ubuntu Linux 24.04 Desktop, with PAI running inside it, which you prepared in project ML 190

WARNING: REAL MALWARE

This project uses a real malware sample. It should only be used inside a Linux virtual machine. If you run it on a Windows box, it will infect it.

Purpose

To see if PAI can detect malware introduced via a supply-chain attack.

Downloading the Samples

Ask your PAI to do this:

Download this file:
https://samsclass.info/ML/proj/DTLite.zip
Unzip it with the password:
malware
Inside are two versions of the DTLite program.
Create a subfolder in your working directory named DTLite and save both versions in there.

PAI should do that without difficulty.

Comparing the Files

Ask your PAI to do this:

Compare the two versions of DTLite. Find the changes made in the new version, and save the difference in a file.
Summarize the nature of the changes.

When I did it, PAI did not find any malicious changes, as shown below.

Looking for Malicious Behavior

Ask your PAI to do this:

Examine the nature of the changes and let me know if they appear malicious.

When I did it, PAI still did not find any malicious changes, as shown below.

Using Web Searches

Tell PAI this:

Check the online news. It says that version is seriously malicious.
Please try to explaim why your analysis reached a different conclusion,
and how you can detect such malware in the future.

PAI prepared an excellent analysis, as shown below.

Flag ML 191.1: Comparing Strings (15 pts)
Ask PAI this:
Find the first ten strings that appears in the later version, but not in the earlier version.
The flag is covered by a green rectangle in the image below.

Posted 5-6-26