Has anyone analyzed the popular Flux trojan? If yes: Does the launcher inject the entire trojan code into the host application (i.e., no DLL injection takes place). If yes: Let's assume that the launcher is protected with a compressor or crypter so that no file scanner can detect it. Will any memory scanner (BOClean, Ewido, TDS or TH) detect that the host application is compromised by the malicious trojan code which was injected into it? Thanks for your comments.
It appears to come in many variations. Most antivirus vendors have Flux in their definitions. freelist.org
I have performed a few tests and published them in our forum (I did not dare to post them here because of the strict TOS). It seems that ATs with a dedicated memory scanner have difficulties to detect this trojan.
nautilus, did you also test some av scanners? Maybe some of these programs also cannot find this trojan or can delete it.
In the meantime, I have tested KAV 5.0.200 beta. The file scanner also detects the compressed Flux variant because the static unpacking engine developed by Kaspersky offers limited support for PE Compact 2.40. Depending on the settings used it can "look through" this compressor. By contrast, NOD32 missed the compressed sample. The funny thing was NODs memory scanner which only detected the server editor running in memory but not the trojan itself ;-)
Which is no big surprise, as NODs so-called memory scanner is no "real" memory scanner... right? Flux seems to be quite powerful, imho. Direct code-injection without any dll - a hard nut for (real) mem scanners, as well as firewalls (even for those with some sandbox capabilities...) But at least SSM, ProcessGuard & co can do the job.