Although all security companies now agree that the best days of Flashback (or ‘Flashflake’) are now behind it, the new numbers suggest a greater level of infection than that has been reported by rivals.
Measured by UUID device identifiers, Dr. Web now believes that at its greatest extent the bot was around 817,000 machines, with an average of 550,000 contacting the command and control servers during any 24-hour period.
By 19 April the bot was communicating with 566,000 Macs, down from 673,000 three days earlier, still considerably higher than Symantec’s estimate last week that the bot’s size had shrunk to 270,000 infected systems, and Kaspersky’s figure of 237,000 on 14 and 15 April.
Some of the confusion could be down to measuring the bot using either IP addresses or device IDs (UUIDs), and doing so at different points in time.
However, Dr. Web thinks it has a better explanation for the understands this discrepancy, which, it said, has to do with attempts by an unnamed entity (presumably a security company) to block the bot’s activity.
Infected bots had been connecting to a server at 220.127.116.11, which was putting them into a suspended state. All machines doing this would no longer be able to communicate and be registered as ‘active’ by security company sinkholes despite still being infected.
“This is the cause of controversial statistics on one hand, Symantec and Kaspersky Lab reported a significant decline in the number of Backdoor.Flashback.39 bots, on the other hand, Dr. Web repeatedly indicated a far greater number of bots which didn’t tend to decline considerably,” the company argued.