Flux spreads wider

Flux is the name of a new pest spreading covertly through the internet. Flux is a trojan that is making the life of most anti malware vendors much harder.

Flux is a reverse backdoor type of trojan. Reverse means that rather than the infected machine waiting for a connection to be made from outside, the infected machine trys to make the connection itself. Standard trojans are made up of two parts - the server and the client.

The client is downloaded to infect the machine. The server is another pc somewhere in the world that then tries to communicate with the client. The problem with standard trojans is that if the infected machine has a good firewall, then the server cannot connect to the client. So although the machine is infected, no data is transferred to the server from the client.

To overcome the blocked connection, malware writers now use this reverse logic to make the client machine responsible for the connection. Many standard firewalls will block requests coming in from the internet to connect, but do not block about outgoing requests to connect. Trojans like flux can therefore operate even through most firewalls.

The really dangerous thing about Flux is not its ability to use this reverse connection feature, but the way that feature is implemented. Flux introduces a new technique of code injection. Code Injecting is a term that describes ways to execute code in other processes. Until now Code Injection worked by loading a DLL file into a foreign process - much like the cookoo lays an egg in another birds nest. This method (called DLL Injection) is quite easy to detect as the anti-malware program just asks the process which DLLs it uses - a trojan DLL is one that is not on the list generated.

Flux doesn't use a DLL. Flux writes its connection code directly into a host process and executes it there. Apart from the fact that this behaviour would circumwent several Desktop Firewalls, it also makes Flux nearly invisible to current anti malware software because the Flux code isn't linked to any module or DLL of the process and will be simply overlooked by anti malware software. That makes complete cleaning very difficult.

Here at we have already thought about trojans using this direct injection method and why we already developed an advanced memory scan for v2.0 that can detect trojans using this technique. Version 2.0 is not quite ready for release but due to trojans like Flux we have decided to provide our customers with the advanced memory scan now.

What does all this mean for you?
is one of the first anti malware product that is able to detect and deactivate Flux. On top of that we have also developed a special free detection tool. This tool allows users of other anti-malware software to benefit from anti-malware technology too. The free tool detects and terminates an active Flux to ensure a proper cleaning of the infection.

You can download the free Flux Scanner tool from the  download page:

a²Free and a² Personal version 1.5 released

Version 1.5.0 is now stable and available for all users. You can install the new version simply by running the online update feature in without doing a completely new installation of .


- New logo and improved user interface in all dialogs. New startcenter user interface with more information: Display of version mode, version number, last update request date, license expire date.

- Added auto-update feature. The guard looks once per hour for available updates and installs them if available. Manual updating is no longer necessary if the guard is running and auto-update is enabled.

- New updater has some internal improvements.

11/6/2004 - Discuss this article in the forum

How would you rate the quality of this content?
    Rating: 8.80/10
126 votes
Poor ⇒    ⇐ Outstanding

Best In Test!

AWESOME score in September 2013!
100% in AV-Comparatives “Real-World” Protection Test!
Emsisoft Anti-Malware is the best! 100% in av-comparatives realworld protection test!
More independent reviews of anti-malware software