Dr. Web Says Flashback Trojan Infections Have Not Been Significantly Reduced

Contrary to reports from Kaspersky and Symantec, Dr. Web says that the number of Macs infected with the Flashback trojan have not significantly declined.

Symantec recently reported that infections were down to 140,000 and Kaspersky reported they were down to 30,000. Dr. Web disagrees and says that infections are still at about 650,000.

The main domains for BackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first send requests to corresponding servers. On April 16th additional domains whose names are generated using the current date were registered. Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network, which is indicated on the graph. However, after communicating with servers controlled by Doctor Web, Trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists. This is the cause of controversial statistics - on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of BackDoor.Flashback.39 bots, on the other hand, Doctor Web repeatedly indicated a far greater number of bots which didn't tend to decline considerably. The image below shows how a TCP-connection to the command center makes a BackDoor.Flashback.39 bot freeze.


Dr. Web was the first site to report the spread of BackDoor.Flashback.39 earlier this month.

Read More