When we recently reported that hundreds of thousands of Macs were infected by the Flashback malware, we were basing our information on certain sinkholes created by security companies. (A sinkhole is a server set up to trap information coming from infected computers, replacing the malicious command and control servers.)
Since then, several security companies have reported that the number of infected Macs has decreased drastically, as low as 30,000.
However, Intego has analyzed the malware, and, following discussions with other security companies, has determined that not only are these numbers incorrect, they are underestimating the number of infected Macs.
(Boris Sharov of the Russian security company Dr Web has tweeted about this, and as Dr Web is one of the companies using a sinkhole, we're awaiting more information from them.)
The Flashback malware has a system by which it looks for a specific domain name on a specific day. For example, the domain used on April 19 was lequkvmlratgsm.com. But, the malware does not only seek out a .com domain; it also looks for domains ending with .net, .info, .in and .kz. When the malware connects to one of these domains, it does not seek out other domains. Since multiple companies are running sinkhole servers, each one is only reporting on the numbers of infected Macs that they see, but not the aggregate of all the different servers for a given day.
In addition, the samples that Intego analyzes using virtual machines do not contact the daily servers that certain companies have claimed are active.
For this reason, we conclude that not only are a larger number of Macs infected than what is being reported, but it is very likely that infections are continuing. Given the widespread media attention regarding the Flashback malware, many Mac users have installed antivirus software, such as Intego's Mac antivirus VirusBarrier X6. Intego, and other companies, have received numerous samples of this malware from customers who have detected it on their Macs. In some cases, this malware dates back to September, 2011, when the malware first presented as a Trojan horse. But as more and more Macs become disinfected, the numbers should decrease, and these numbers jibe with what has been published. However, the realization now that the actual number of infected Macs is a multiple of the numbers cited recently in the press suggests that as many Macs are disinfected, others are being infected.
It is impossible to determine precise numbers of computers infected by any malware, but the methods currently used to calculate the number of Macs infected by Flashback are clearly erroneous.
Update: For more information, see our later blog post, DNS Redirection Protects Against Flashback Malware, Leads to False Infection Rates.