Automated Static Analysis of Linux ELF Malware: Framework and Application

Automated Static Analysis of Linux ELF Malware: Framework and Application

연구 분야: Safety

학회: 2025 13th International Symposium on Digital Forensics and Security (ISDFS)

The rapid evolution of Linux malware, driven by an increased use of Linux in critical infrastructure, IoT, and cloud environments, underscores the need for scalable static analysis techniques for malware characterization and detection. This study presents an architecture-agnostic framework for static analysis, covering the entire pipeline from raw ELF binaries to machine learning-based focused studies. To facilitate large-scale ELF mal ware analysis, this study introduces elf radar, a static analysis feature extraction tool that leverages open-source binary analysis frameworks such as Radare2 and LIEF. In addition to extracting ELF meta-data and features pertinent to malware analysis, elfradar ex-tracts the Intermediate Representation (IR) of opcodes, enabling architecture-independent analysis for tasks such as opcode aggre-gated entropy-based assessments, and cross-architecture feature extraction. To demonstrate the effectiveness of the proposed framework, a dataset comprising approximately 20,000 ELF malware binaries from VirusShare was processed using elfradar. As a case study, outlier analysis was conducted on this dataset to identify potential indicators of obfuscation and packed samples. The efficacy of the proposed framework and static analysis feature extraction tool has been demonstrated in other studies as well, including Linux IoT malware variant classification, opcode entropy-based malware detection, and other applications focusing on static malware analysis.