The Flashback botnet continues to wither, and now controls approximately 140,000 Macs, a Symantec security manager said today.
As of yesterday, 142,000 Macs were infected with Flashback, down from a peak of more than 600,000 two weeks ago. As recently as April 11, the botnet herders held 323,000 Macs in their hands.
But the infection count has been stalled at the 142,000 mark since Monday, said Liam O Murchu, manager of operations of Symantec's security response team.
"The amount of cleanup has tapered off," O Murchu said, referring to the small decreases of just 7% and 2% last Saturday and Sunday, respectively, and this week's unmoving tally.
Symantec has tracked the decline of the Flashback botnet by using the same intelligence-gathering tactic deployed by two Russian security companies who came up with initial estimates of the Flashback infection two weeks ago.
Flashback includes a domain-generation algorithm that tells the malware where to look for commands each day, a common technique by bot makers. Symantec cracked the algorithm to determine those domains -- essentially a jumble of letters -- and registered several. It then set up its own servers on the domains and waited for infected Macs to reach them for orders.
The process, called sinkholing, was used by Dr. Web and Kaspersky Lab, the two Russian antivirus firms that announced and confirmed the massive size of the Flashback botnet.
Even though the infection total has dwindled, Flashback isn't shrinking as fast as Symantec anticipated. "Because it went from 600,000 to 380,000 pretty quickly, we expected that decline to continue," said O Murchu.
In an update posted on its website Tuesday, Symantec said, "Infection numbers should have seen a dramatic decrease by now," and cited the availability of numerous Flashback detect-and-delete tools for its misplaced optimism.
Last Thursday, Apple issued its own Flashback scrubbing utility, following the lead of several antivirus companies, including Kaspersky Lab and Symantec, which have deployed free tools.
But Flashback's stall isn't unusual, said O Murchu.
