{
	"id": "7a52a008-e9fa-488f-b046-131e2c2f8543",
	"created_at": "2026-04-10T03:20:58.77061Z",
	"updated_at": "2026-04-10T13:11:45.25456Z",
	"deleted_at": null,
	"sha1_hash": "a5c0b7a8e502175e8c3b5fae9f0065ff01f74e49",
	"title": "Doctor Web doesn't register significant decrease in BackDoor.Flashback.39 bot number",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 155011,
	"plain_text": "Doctor Web doesn't register significant decrease in\r\nBackDoor.Flashback.39 bot number\r\nPublished: 2012-04-20 · Archived: 2026-04-10 03:05:41 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n20.04.2012\r\nHot news | All the news | Virus alerts\r\nApril 20, 2012\r\nDoctor Web's virus analysts continue to monitor the largest to date Mac botnet discovered by Doctor Web\r\non April 4, 2012. The botnet statistics acquired by Doctor Web contradicts recently published reports\r\nindicating a decrease in the number of Macs infected by BackDoor.Flashback.39 The number is still around\r\n650,000.\r\nAccording to Doctor Web, 817 879 bots connected to the BackDoor.Flashback.39 botnet at one time or another\r\nand average 550 000 infected machines interact with a control server on a 24 hour basis. On April 16, 717004\r\nunique IP-addresses and 595816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on\r\nApril 17 the figures were 714 483 unique IPs and 582405 UUIDs. At the same time infected computers, that have\r\nnot been registered on the BackDoor.Flashback.39 network before, join the botnet every day. The chart below\r\nshows how the number of bots on the BackDoor.Flashback.39 botnet has been changing from April 3 to April 19,\r\n2012.\r\nhttps://news.drweb.com/show/?c=5\u0026i=2386\u0026lng=en\r\nPage 1 of 3\n\nHowever recent publications found in open access report a reduction in the number of BackDoor.Flashback.39\r\nbots. Typically, these materials are based on analysis of statistics acquired from hijacked botnet control servers.\r\nDoctor Web's analysts conducted a research to determine the reasons for this discrepancy.\r\nBackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain\r\nnames is generated using parameters embedded in the malware resources, others are created using the current date.\r\nThe Trojan sends consecutive queries to servers according to its pre-defined priorities. The main domains for\r\nBackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first\r\nsend requests to corresponding servers. On April 16th additional domains whose names are generated using the\r\ncurrent date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants,\r\nregistration of additional control server names has allowed to more accurately calculate the number of bots on the\r\nmalicious network, which is indicated on the graph. However, after communicating with servers controlled by\r\nDoctor Web, Trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This\r\nserver communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode\r\nand wait for the server's reply and no longer respond to further commands. As a consequence, they do not\r\ncommunicate with other command centers, many of which have been registered by information security\r\nspecialists. This is the cause of controversial statistics — on one hand, Symantec and Kaspersky Lab reported a\r\nsignificant decline in the number of BackDoor.Flashback.39 bots, on the other hand, Doctor Web repeatedly\r\nindicated a far greater number of bots which didn’t tend to decline considerably. The image below shows how a\r\nTCP-connection to the command center makes a BackDoor.Flashback.39 bot freeze.\r\nDoctor Web once gain warns Mac OS X users of the BackDoor.Flashback.39 threat and strongly recommends\r\nyou to install Java updates and scan the system to determine whether it has been infected. For more information\r\nabout BackDoor.Flashback detection and neutralization visit https://www.drweb.com/flashback/. To remove the\r\nTrojan, you can use Dr.Web for Mac OS X Light available free of charge. \r\n2386 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nhttps://news.drweb.com/show/?c=5\u0026i=2386\u0026lng=en\r\nPage 2 of 3\n\nRead\r\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/show/?c=5\u0026i=2386\u0026lng=en\r\nhttps://news.drweb.com/show/?c=5\u0026i=2386\u0026lng=en\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://news.drweb.com/show/?c=5\u0026i=2386\u0026lng=en"
	],
	"report_names": [
		"?c=5\u0026i=2386\u0026lng=en"
	],
	"threat_actors": [],
	"ts_created_at": 1775791258,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5c0b7a8e502175e8c3b5fae9f0065ff01f74e49.pdf",
		"text": "https://archive.orkl.eu/a5c0b7a8e502175e8c3b5fae9f0065ff01f74e49.txt",
		"img": "https://archive.orkl.eu/a5c0b7a8e502175e8c3b5fae9f0065ff01f74e49.jpg"
	}
}