We’re pleased to announce that enhanced ELF executable detection has been added to the Cloudmersive Private Cloud Virus API with the release of v10-1-2.

What are ELF executables?

The Executable and Linkable Format (ELF) is a special file format used to store compiled machine-readable files (binaries), reusable program code (libraries), and program memory snapshots (core dumps) in Linux and Unix-based systems. It’s similar to Windows-based Portable Execution files like Executables (EXE) and Dynamic-Link Libraries (DLL).

Why is it important to scan for ELF executable threats?

Before delving into the unique threats ELF files pose, it’s first important to note that ALL executable files pose a significant risk to their compatible operating system(s) and should be rigorously investigated for threats. Additionally, ALL executables can be quite easily obfuscated as other file types by simply renaming the file with a new extension (e.g., JPG), so it's important to always check files for hidden executable content.

Because ELF files are the standard format for executables, shared libraries, and kernel modules on Linux and Unix-based systems, they’re a natural target for threat actors. Linux and Unix-based servers – including database servers, file servers, and application servers – rely on ELF files, and most Internet of Things (IoT) devices depend on ELF files for firmware and embedded software execution. Further, in much the same way as malicious EXE and DLL files on Windows systems, malicious ELF files are capable of granting unauthorized access or root privileges in Linux and Unix-based systems, which can lead to rapid & devastating attack escalation.

Malicious ELF files can carry anything from known malware signatures to embedded payloads (i.e., shellcode, trojans, backdoors) and other malicious code injections. They can also carry links to malicious and/or vulnerable shared libraries.

Scan ELF executables with Cloudmersive

The Cloudmersive Virus Scan API combats ELF threats (and other executable threats) by scanning for malware and rigorously validating file contents beyond the file extension. The Virus Scan API can uncover malware signatures, scripts, and other suspicious content hidden within an ELF file, and it can also be configured to categorically block ELF files (and other executables) from upload/download workflows and cloud storage containers.

For expert advice on scanning for ELF threats, please reach out to a member of our team.