Threat Encyclopedia


Malware type: Elf Executable

Aliases: Trojan.Linux.Hacktop (Kaspersky), Linux/Hacktop (McAfee), Trojan.Linux.Hacktop (Symantec), TR/Linux.Hacktop.2 (Avira),

In the wild: No

Destructive: Yes

Language: English

Platform: Linux, Unix

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:


Distribution potential:



This Root Kit Trojan with an Executable and Linking Format (ELF)runs on Unix/Linux platforms. It appears as a normal ELF program, TOP, to hide its malicious routines. TOP is a network traffic and process viewer used on Unix systems. When resident, it grants a remote user administrator priveleges to its affected system. It also retrieves information from the affected system and sends it to a remote user.

This malware compromises network security.

For additional information about this threat, see:

Description created: Apr. 2, 2003 2:46:07 AM GMT -0800
Description updated: Apr. 2, 2003 2:46:12 AM GMT -0800


Size of malware: Library=37,984 Bytes
Executable=33,992 Bytes

Initial samples received on: Nov 5, 2002


Similar to most Root Kit Trojans, this malware appears as a normal ELF program. It is a Trojan version of TOP, a normal program that is used to view network traffic and all running processes on a system.

Composed of two components, an actual executable and its library, this malware grants a remote user administrator privileges to an affected system. Administrator priveleges allow a remote user to perform the following on an affected system:

  • The command chfn opens a root shell when the root-kit password is typed as a username;
  • chsh opens a root shell when the root-kit password is typed as a new shell;
  • passwd opens a root shell when the root-kit password is typed as a password;
  • login allows the remote user�s login as any identity when the root-kit password is typed (then disables history); and
  • su will be the same as login

Once installed on the affected system, the remote user can then install a sniffer and other backdoor programs. In addition, it conceals its running process in the background.

While this malware runs the normal program TOP, it runs in the background.

The malware also opens a random port through which a remote user may gain access to its affected system.


Minimum scan engine version needed: 5.200

Pattern file needed: 1.384.00

Pattern release date: Nov 5, 2002

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


Scan your system with Trend Micro antivirus and delete all files detected as ELF_HACKTOP.A. To do this, Trend Micro customers must download the latest pattern file and scan their system.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on