Flux Trojan

Discussion in 'malware problems & news' started by -----, Oct 17, 2004.

Thread Status:
Not open for further replies.
  1. -----

    ----- Guest

    Has anyone analyzed the popular Flux trojan?

    If yes:

    Does the launcher inject the entire trojan code into the host application (i.e., no DLL injection takes place).

    If yes:

    Let's assume that the launcher is protected with a compressor or crypter so that no file scanner can detect it. Will any memory scanner (BOClean, Ewido, TDS or TH) detect that the host application is compromised by the malicious trojan code which was injected into it?

    Thanks for your comments.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,084
    Location:
    Texas
    It appears to come in many variations. Most antivirus vendors have Flux in their definitions.

    freelist.org
     
  3. -------

    ------- Guest

    I have performed a few tests and published them in our forum (I did not dare to post them here because of the strict TOS).

    It seems that ATs with a dedicated memory scanner have difficulties to detect this trojan.
     
  4. blub

    blub Guest

    nautilus, did you also test some av scanners? Maybe some of these programs also cannot find this trojan or can delete it.
     
  5. ----

    ---- Guest

    In the meantime, I have tested KAV 5.0.200 beta. The file scanner also detects the compressed Flux variant because the static unpacking engine developed by Kaspersky offers limited support for PE Compact 2.40. Depending on the settings used it can "look through" this compressor.

    By contrast, NOD32 missed the compressed sample. The funny thing was NODs memory scanner which only detected the server editor running in memory but not the trojan itself ;-)
     
  6. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Which is no big surprise, as NODs so-called memory scanner is no "real" memory scanner... right? ;)

    Flux seems to be quite powerful, imho. Direct code-injection without any dll - a hard nut for (real) mem scanners, as well as firewalls (even for those with some sandbox capabilities...) :doubt:
    But at least SSM, ProcessGuard & co can do the job.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.