Dr. Web said on Friday that the number of Flashback-infected Macs is still around 650,000, and that infections are continuing. Although other security firms at first said the number of infections was shrinking quickly, Liam O Murchu, director of operations at Symantec's security response center, also confirmed on Friday that Dr. Web's assertions were correct.
O Murchu in an interview Friday said that "We've been talking with them about the discrepancies in our numbers and theirs. We now believe that their analysis is accurate, and that it explains the discrepancies."
How did this happen? Dr. Web's analysis is as follows: security companies have "sinkholed" or hijacked the Flashback command-and-control domains, meaning they can keep track of botnet traffic, but what's happening, Dr. Web said, is that after the Flashback malware runs through the list of possible C&C servers, the infected machine then makes a request to a specific server that is using a static IP address.
Once it reaches that server, the botnet machine is then put what is basically a stand-by mode, and does not generate any further traffic, leading to the mistaken impression the botnet is shrinking.
Flashback has primarily made its attacks via a Java vulnerability that was patched by Oracle in February. However, Apple maintains its own version of Java for Mac OS X, and did not patch the vulnerability until seven weeks later.