news from a2

Discussion in 'malware problems & news' started by Rita, Nov 7, 2004.

Thread Status:
Not open for further replies.
  1. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Flux spreads wider

    Flux is the name of a new pest spreading covertly through the internet. Flux is a trojan that is making the life of most anti malware vendors much harder.

    Flux is a reverse backdoor type of trojan. Reverse means that rather than the infected machine waiting for a connection to be made from outside, the infected machine trys to make the connection itself. Standard trojans are made up of two parts - the server and the client.

    The client is downloaded to infect the machine. The server is another pc somewhere in the world that then tries to communicate with the client. The problem with standard trojans is that if the infected machine has a good firewall, then the server cannot connect to the client. So although the machine is infected, no data is transferred to the server from the client.

    To overcome the blocked connection, malware writers now use this reverse logic to make the client machine responsible for the connection. Many standard firewalls will block requests coming in from the internet to connect, but do not block about outgoing requests to connect. Trojans like flux can therefore operate even through most firewalls.

    The really dangerous thing about Flux is not its ability to use this reverse connection feature, but the way that feature is implemented. Flux introduces a new technique of code injection. Code Injecting is a term that describes ways to execute code in other processes. Until now Code Injection worked by loading a DLL file into a foreign process - much like the cookoo lays an egg in another birds nest. This method (called DLL Injection) is quite easy to detect as the anti-malware program just asks the process which DLLs it uses - a trojan DLL is one that is not on the list generated.

    Flux doesn't use a DLL. Flux writes its connection code directly into a host process and executes it there. Apart from the fact that this behaviour would circumwent several Desktop Firewalls, it also makes Flux nearly invisible to current anti malware software because the Flux code isn't linked to any module or DLL of the process and will be simply overlooked by anti malware software. That makes complete cleaning very difficult.

    Here at a² we have already thought about trojans using this direct injection method and why we already developed an advanced memory scan for a² v2.0 that can detect trojans using this technique. Version 2.0 is not quite ready for release but due to trojans like Flux we have decided to provide our customers with the advanced memory scan now.

    What does all this mean for you?
    a² is one of the first anti malware product that is able to detect and deactivate Flux. On top of that we have also developed a special free detection tool. This tool allows users of other anti-malware software to benefit from a² anti-malware technology too. The free tool detects and terminates an active Flux to ensure a proper cleaning of the infection.

    You can download the free Flux Scanner tool from the a² download page:
    http://www.emsisoft.com/en/software/download
     
Loading...
Thread Status:
Not open for further replies.