Flux Trojan

Discussion in 'malware problems & news' started by -----, Oct 17, 2004.

Thread Status:
Not open for further replies.
  1. -----

    ----- Guest

    Has anyone analyzed the popular Flux trojan?

    If yes:

    Does the launcher inject the entire trojan code into the host application (i.e., no DLL injection takes place).

    If yes:

    Let's assume that the launcher is protected with a compressor or crypter so that no file scanner can detect it. Will any memory scanner (BOClean, Ewido, TDS or TH) detect that the host application is compromised by the malicious trojan code which was injected into it?

    Thanks for your comments.
  2. ronjor

    ronjor Global Moderator

    Jul 21, 2003
    It appears to come in many variations. Most antivirus vendors have Flux in their definitions.

  3. -------

    ------- Guest

    I have performed a few tests and published them in our forum (I did not dare to post them here because of the strict TOS).

    It seems that ATs with a dedicated memory scanner have difficulties to detect this trojan.
  4. blub

    blub Guest

    nautilus, did you also test some av scanners? Maybe some of these programs also cannot find this trojan or can delete it.
  5. ----

    ---- Guest

    In the meantime, I have tested KAV 5.0.200 beta. The file scanner also detects the compressed Flux variant because the static unpacking engine developed by Kaspersky offers limited support for PE Compact 2.40. Depending on the settings used it can "look through" this compressor.

    By contrast, NOD32 missed the compressed sample. The funny thing was NODs memory scanner which only detected the server editor running in memory but not the trojan itself ;-)
  6. _anvil

    _anvil Registered Member

    Jun 18, 2003
    Which is no big surprise, as NODs so-called memory scanner is no "real" memory scanner... right? ;)

    Flux seems to be quite powerful, imho. Direct code-injection without any dll - a hard nut for (real) mem scanners, as well as firewalls (even for those with some sandbox capabilities...) :doubt:
    But at least SSM, ProcessGuard & co can do the job.
Thread Status:
Not open for further replies.