A method of detecting malware in Linux platform through the following steps: use objdump-D command to disassemble ELF format benign software and malware samples to generate assembly files; traverse the generated assembly files one by one, read the ELF files' code segment and meanwhile identify whether the code segment contains main( ) function; analyze the code segment read. Divide assembly code into different basic blocks. Each basic block is marked by its lowest address. Add control flow graph's vertex to the adjacency linked list; establish the relation between basic blocks, add control flow graph's edges to the adjacency linked list and generate a basic control flow graph; extract control flow graph's features and write them into ARFF files; take ARFF files as the data set of a machine learning tool named weka to carry out data mining and construct classifier; classify the ELF samples to be tested by using the classifier.