The Mac Flashback Trojan was still installed on more than half a million Apple computers late last week and is declining only slowly, Russian security company Dr. Web has reported.
Although all security companies now agree that the best days of Flashback (or 'Flashflake') are now behind it, the new numbers suggest a greater level of infection than that has been reported by rivals.
Measured by UUID device identifiers, Dr. Web now believes that at its greatest extent the bot was around 817,000 machines, with an average of 550,000 contacting the command and control servers during any 24-hour period.
By 19 April the bot was communicating with 566,000 Macs, down from 673,000 three days earlier, still considerably higher than Symantec’s estimate last week that the bot’s size had shrunk to 270,000 infected systems, and Kaspersky’s figure of 237,000 on 14 and 15 April.
Some of the confusion could be down to measuring the bot using either IP addresses or device IDs (UUIDs), and doing so at different points in time.
However, Dr. Web thinks it has a better explanation for the understands this discrepancy, which, it said, has to do with attempts by an unnamed entity (presumably a security company) to block the bot’s activity.
Infected bots had been connecting to a server at 220.127.116.11, which was putting them into a suspended state. All machines doing this would no longer be able to communicate and be registered as ‘active’ by security company sinkholes despite still being infected.
“This is the cause of controversial statistics — on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of Backdoor.Flashback.39 bots, on the other hand, Dr. Web repeatedly indicated a far greater number of bots which didn’t tend to decline considerably,” the company argued.
At least one security company - Mac security specialist Intego - agrees with Dr. Web’s contention that Flashback’s infection numbers have recently been underestimated.
“Intego has analyzed the malware, and, following discussions with other security companies, has determined that not only are these numbers [the lower estimates] incorrect, they are underestimating the number of infected Macs,” the company announced in a Friday blog post.
If this is correct, it does at least mean that while infected, these machines are now dormant and presumably beyond the control of the bot controllers.
On Friday, Kaspersky offered more information on how the malware was able to infect its victims through WordPress blog sites that had been compromised to host a malware redirection script.