Flux spreads wider
Flux is the name of a new pest spreading covertly through the internet. Flux is a trojan that is making the life of most anti malware vendors much harder.
Flux is a reverse backdoor type of trojan. Reverse means that rather than the infected machine waiting for a connection to be made from outside, the infected machine trys to make the connection itself. Standard trojans are made up of two parts - the server and the client.
The client is downloaded to infect the machine. The server is another pc somewhere in the world that then tries to communicate with the client. The problem with standard trojans is that if the infected machine has a good firewall, then the server cannot connect to the client. So although the machine is infected, no data is transferred to the server from the client.
To overcome the blocked connection, malware writers now use this reverse logic to make the client machine responsible for the connection. Many standard firewalls will block requests coming in from the internet to connect, but do not block about outgoing requests to connect. Trojans like flux can therefore operate even through most firewalls.
The really dangerous thing about Flux is not its ability to use this reverse connection feature, but the way that feature is implemented. Flux introduces a new technique of code injection. Code Injecting is a term that describes ways to execute code in other processes. Until now Code Injection worked by loading a DLL file into a foreign process - much like the cookoo lays an egg in another birds nest. This method (called DLL Injection) is quite easy to detect as the anti-malware program just asks the process which DLLs it uses - a trojan DLL is one that is not on the list generated.
Flux doesn't use a DLL. Flux writes its connection code directly into a host process
and executes it there. Apart from the fact that this behaviour would circumwent
several Desktop Firewalls, it also makes Flux nearly invisible to current anti malware
software because the Flux code isn't linked to any module or DLL of the process
and will be simply overlooked by anti malware software. That makes complete cleaning
Here at a² we have already thought about trojans using this direct injection method and why we already developed an advanced memory scan for a² v2.0 that can detect trojans using this technique. Version 2.0 is not quite ready for release but due to trojans like Flux we have decided to provide our customers with the advanced memory scan now.
What does all this mean for you?
a² is one of the first anti malware product that is able to detect and deactivate Flux. On top of that we have also developed a special free detection tool. This tool allows users of other anti-malware software to benefit from a² anti-malware technology too. The free tool detects and terminates an active Flux to ensure a proper cleaning of the infection.
You can download the free Flux Scanner tool from the a²
a²Free and a² Personal version 1.5 released
Version 1.5.0 is now stable and available for all users. You
can install the new version simply by running the online update feature in a² without doing a
completely new installation of a².
- New logo and improved user interface in all dialogs. New startcenter user interface with more information: Display of version mode, version number, last update request date, license expire date.
- Added auto-update feature. The guard looks once per hour for available updates and installs them if available. Manual updating is no longer necessary if the guard is running and auto-update is enabled.
- New updater has some internal improvements.