I just received this notice today. I thought I would post it to inform everyone. Important information about a² and all related news. Flux spreads wider
Flux is the name of a new pest spreading covertly through the internet. Flux is
a trojan that is making the life of most anti malware vendors much harder.
Flux is a reverse backdoor type of trojan. Reverse means that rather than the
infected machine waiting for a connection to be made from outside, the infected
machine trys to make the connection itself. Standard trojans are made up of two
parts - the server and the client.
The client is downloaded to infect the machine. The server is another pc
somewhere in the world that then tries to communicate with the client. The
problem with standard trojans is that if the infected machine has a good
firewall, then the server cannot connect to the client. So although the machine
is infected, no data is transferred to the server from the client.
To overcome the blocked connection, malware writers now use this reverse logic
to make the client machine responsible for the connection. Many standard
firewalls will block requests coming in from the internet to connect, but do not
block about outgoing requests to connect. Trojans like flux can therefore
operate even through most firewalls.
The really dangerous thing about Flux is not its ability to use this reverse
connection feature, but the way that feature is implemented. Flux introduces a
new technique of code injection. Code Injecting is a term that describes ways to
execute code in other processes. Until now Code Injection worked by loading a
DLL file into a foreign process - much like the cookoo lays an egg in another
birds nest. This method (called DLL Injection) is quite easy to detect as the
anti-malware program just asks the process which DLLs it uses - a trojan DLL is
one that is not on the list generated.
Flux doesn't use a DLL. Flux writes its connection code directly into a host
process and executes it there. Apart from the fact that this behaviour would
circumwent several Desktop Firewalls, it also makes Flux nearly invisible to
current anti malware software because the Flux code isn't linked to any module
or DLL of the process and will be simply overlooked by anti malware software.
That makes complete cleaning very difficult.
Here at a² we have already thought about trojans using this direct injection
method and why we already developed an advanced memory scan for a² v2.0 that can
detect trojans using this technique. Version 2.0 is not quite ready for release
but due to trojans like Flux we have decided to provide our customers with the
advanced memory scan now.
What does all this mean for you?
a² is one of the first anti malware product that is able to detect and
deactivate Flux. On top of that we have also developed a special free detection
tool. This tool allows users of other anti-malware software to benefit from a²
anti-malware technology too. The free tool detects and terminates an active Flux
to ensure a proper cleaning of the infection.
You can download the free Flux Scanner tool from the a² download page:http://www.emsisoft.com/en/software/download
a² Free and a² Personal version 1.5 released
Version 1.5.0 is now stable and available for all users. You can install the new
version simply by running the online update feature in a² without doing a
completely new installation of a².
- New logo and improved user interface in all dialogs. New startcenter user
interface with more information: Display of version mode, version number, last
update request date, license expire date.
- Added auto-update feature. The guard looks once per hour for available updates
and installs them if available. Manual updating is no longer necessary if the
guard is running and auto-update is enabled.
- New updater has some internal improvements. http://www.emsisoft.com