The Flashback Mac botnet still has around 650,000 endpoints under its control, despite reports claiming it had shrunk.
A blog post by Russian anti-virus firm Dr Web said there had been no "significant decrease" in the number under control by Flashback, saying that 817,879 bots had connected to Flashback at one time or another, and an average of 550,000 infected machines interact with a control server on a 24-hour basis.
A report by SC Magazine from last week said that around 140,000 Macs remain infected with the Flashback Trojan, but Dr Web said that research was based on analysis of statistics acquired from hijacked botnet control servers.
Doctor Web's analysts conducted research to determine the reasons for this discrepancy and found that Flashback uses a sophisticated routine to generate control server names, with a larger part of the domain names generated using parameters embedded in the malware resources. Others are created using the current date. The Trojan then sends consecutive queries to servers according to its pre-defined priorities.
It further said that after communicating with servers controlled by Doctor Web, Trojans send requests to the server at 22.214.171.124, controlled by an unidentified third party. This server communicates with bots but does not close a TCP connection, so bots switch to the standby mode and wait for the server's reply and no longer respond to further commands.
As they do not communicate with other command centres, many of which have been registered by information security specialists, this is the cause of some statistics showing it to be reducing.
Kaspersky Lab told computerworld.com that it was looking into its statistics, while Symantec said that statistics from its sinkhole were showing declining numbers on a daily basis; it had originally believed that this meant a greater decline in infections, but admitted that "this has proven not to be the case".
A Symantec blog post said: “A recent Dr Web blog post reveals our sinkholes are receiving limited infection counts for OSX.Flashback.K. Our current statistics for the last 24 hours indicate 185,000 universally unique identifiers have been logged by our sinkhole.
“A sinkhole registered at IP address 126.96.36.199 is causing Flashback connections to hang as it never closes the TCP handshake, in effect preventing Flashback from hitting subsequent domains.”