analyzing-linux-elf-malwarelisted

# Analyzing Linux ELF Malware ## When to Use - A Linux server or container has been compromised and suspicious ELF binaries are found - Analyzing Linux botnets (Mirai, Gafgyt, XorDDoS), cryptominers, or ransomware - Investigating malware targeting cloud infrastructure, Docker containers, or Kubernetes pods - Reverse engineering Linux rootkits and kernel modules - Analyzing cross-platform malware compiled for Linux x86_64, ARM, or MIPS architectures **Do not use** for Windows PE binary analysis; use PEStudio, Ghidra, or IDA for Windows malware. ## Prerequisites - Ghidra or IDA with Linux ELF support for disassembly and decompilation - Linux analysis VM (Ubuntu 22.04 recommended) with development tools installed - strace, ltrace, and GDB for dynamic analysis and debugging - readelf, objdump, and nm from GNU binutils for static inspection - Radare2 for quick binary triage and scripted analysis - Docker for isolated container-based malware execution ## Workflow ### Step 1: Identify ELF Binary Properties Examine the ELF header and basic properties: ```bash # File type identification file suspect_binary # Detailed ELF header analysis readelf -h suspect_binary # Section headers readelf -S suspect_binary # Program headers (segments) readelf -l suspect_binary # Symbol table (if not stripped) readelf -s suspect_binary nm suspect_binary 2>/dev/null # Dynamic linking information readelf -d suspect_binary ldd suspect_binary 2>/dev/null # Only on matching architecture! # Co