Just last week, Symantec said that the Flashback/Flashfake botnet had dwindled down to around 140,000 infected Mac computers. Yet Dr. Web, the security firm that discovered the mass Mac infection, stands firm that it still counts 650,000 Macs with active Flashback/Flashfake infections. Kaspersky's count has dropped to 45,000, meaning that no one is really for sure how large the Flashfake botnet really is.
"According to Doctor Web, 817,879 bots connected to the BackDoor.Flashback.39 botnet at one time or another, and an average of 550,000 infected machines interact with a control server on a 24 hour basis," Doctor Web stated on Friday. "On April 16, 717,004 unique IP addresses and 595,816 Mac UUIDs were registered on the BackDoor.Flashback.39 botnet while on April 17 the figures were 714,483 unique IPs and 582,405 UUIDs. At the same time, infected computers that have not been registered on the BackDoor.Flashback.39 network before, join the botnet every day."
The difference in numbers between the various security firms stem from the methods they use to count infections. Both Symantec and Doctor Web establish a server that looks like one of the 70 command and control servers used to control the botnet, yet Doctor Web says it found a entirely separate pool of infected Macs by tracing a secondary line of communication between the servers and infected Macs.
"On April 16th, additional domains whose names are generated using the current date were registered," Doctor Web said. "Since these domain names are used by all BackDoor.Flashback.39 variants, registration of additional control server names has allowed to more accurately calculate the number of bots on the malicious network."
"However, after communicating with servers controlled by Doctor Web, trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party," the firm adds. "This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."
This is the reason why security firms like Symantec and Kaspersky don't show the same numbers as Doctor Web. But Symantec claims that the same method to distribute Flashback has also been used to unleash the OSX.Sabpab malware which was just identified that week. This suggests that Doctor Web is actually double-counting machines infected with both malware, or the firm is including the Sabpab infections with its Flashback infection count.
Currently Doctor Web and Symantec are reportedly talking about their differences and are stumped as to why they're coming up with different numbers. The latter company is supposedly admitting that Doctor Web's methods are correct, and that Symantec would change its own to be more consistent. However Symantec has not provided an official statement.
Doctor Web is now warning Mac OS X users to install the Java updates and scan the system to determine whether it has been infected. For more information about BackDoor.Flashback detection and neutralization, visit https://www.drweb.com/flashback/. To remove the trojan, consumers can use Dr.Web for Mac OS X Light available free of charge.