The number of Apple Macintosh computer infected by the Flashback Trojan may be growing, not shrinking.
American anti-virus software giant Symantec, in a blog posting yesterday (April 17), reported that the Flashback botnet had been reduced to 140,000 machines, a sharp drop from an estimated 600,000 on April 1.
That's good news, but it's not unexpected, especially after the distribution of several free Flashback removal tools, including Apple's own.
It may also be wrong. On Monday, the Russian anti-virus firm Dr. Web said the Flashback botnet, after having stabilized for the previous two weeks, was growing again and had reached nearly 800,000 infected Macs.
Today (April 18), F-Secure researcher Mikko Hypponen tweeted that his Dr. Web sources had told him that the Flashback botnet now involved more than 811,000 machines.
Dr. Web, a company previously little known in the West, gave the first accurate estimates of the size of the Flashback botnet in early April. Those estimates were quickly confirmed by other anti-virus companies.
All of the estimates rely on a technique called "sinkholing." Security firms search a Trojan's code for instructions on how to communicate with the Trojan's command-and-control servers, the remote computers that control and send updates to the vast army of silently infected machines — the botnet.
The security firms then send out their own update to the infected machines, asking them to communicate with new command-and-control servers that the firms themselves have set up. In this way, botnets can be defanged and their size estimated.
It's not clear why there's such a huge discrepancy between Symantec's and Dr. Web's numbers. SecurityNewsDaily has reached out to both firms for clarification and is awaiting a reply.