Stay alert: Recently, an unknown trojan attack in the Linux environment, a malicious ELF file with UPX compression (11th Oct, 2021)

Preface: Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably need antivirus help.

Background: ELF file extension, an acronym for Executable and Linkable Format, is a common standard file extension used for executable, object code, core dumps and shared libraries. It was being chosen as the standard binary file format for Unix and Unix-based systems.

Observation and synopsis: Cyber criminal will send a email to you lure that to download a ELF binary file because of the following reason. An ELF file is an executable file meant to be used with a Nintendo Wii or Nintendo Wii emulator. It contains a video game or other Wii application. ELF files may contain official Wii applications or homebrew applications. For above reasons, you will click to downloading ELF binary files.

Perhaps, you have not installed antivirus software on the Linux platform. But you can use a simple Linux command to check whether the ELF binary file is embedded with UPX compression. Maybe this is a malicious file.

Hints: Suspicious ELF binary with UPX compression
In the source code to UPX, there’s a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d (unpack executable). Magic or strings can detect whether UPX compressed file is embedded in elf binary file. It shows which offsets are to be tested to detect if a file was packed with UPX.

Reference: For more information, see Virustotal –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.