Further analysis of Flashback has postulated that even after the release of patches and the media attention devoted to the malware, the number of infections could be increasing, rather than decreasing.
Infection rates for the now highly prolific trojan have been met with scepticism since its initial discovery, with many not believing that upwards of 650,000 Macs could be infected. Unfortunately, this was exacerbated by confusion around infection rates caused by the botnet not communicating with all security researchers' sinkholes. This led to researchers believing that Apple's patches and malware-removal tools were causing a reduction in infection numbers, when actually that may not be the case.
There is still no consensus on what the actual infection numbers are, with Dr.Web counting about 650,000 mid-last month — a number that is larger than that estimated by other researchers, as the company's work uses the greatest number of sinkholes — while Symantec only found 185,000 infections across its own sinkholes. While the overall number of infections may never be known, an idea of the general trend of infections can be determined if a single sinkhole is examined over a period of time, and is considered to represent a fair sample of total infections — especially if the same trend is independently observed across multiple sinkholes.
This is exactly what Intego has been doing since the end of April. It has found that not only is it recording 100,000 infections from observations of its single sinkhole, but that the number is also on the rise, even taking into account fluctuations, which it explains as being due to weekends and the observance of the May Day public holiday in many parts of the world.
Flashback infections observed by Intego
- 10276930 April
- 969481 May
- 1037792 May
- 1218263 May
- 1023754 May
- 1185935 May
- 1139096 May
"The number of infected Macs is not decreasing, but is actually increasing. Even though Apple has provided an update, which patches the Java vulnerability that this malware is exploiting, it seems that many Mac users are simply not updating their Macs," security researcher Peter James wrote on Intego's Mac Security Blog.
A cruder trend can also be seen by looking at Symantec's results.
At the time of its analysis, using its own sinkhole observations, Symantec saw 140,000 infections and made the prediction that by 17 April the number of infections would drop to about 99,000. This was because Symantec thought that the number of infections had already dropped from Dr.Web's 650,000 infections, not having yet discovered that infection numbers were varying from sinkhole to sinkhole. However, on 20 April, it observed on its own sinkhole that some 185,000 Macs were still infected — marking an increase, rather than a decrease. This would mean that the company has actually seen 45,000 more Macs become infected, providing further fuel to Intego's argument that the Mac infections are on the rise.
Dr.Web would have the largest sample for tracking infection rates; however, at the time of writing, the company has only published observations up to 25 April, which were showing a downward trend.