|
According to Doctor Web, the Russian security vendor that was the first to provide an estimate of the number of infected systems, over 550,000 Macs may still be infected.
As of last Thursday, the company's count was 566,773.
Doctor Web officials explain the discrepancy in terms of the way infected computers attempt to communicate with the command and control servers. We already knew that the malware uses an algorithm to determine the domain names used on particular days, and these have been 'sinkholed' by Doctor Web and other companies.
But after attempting to communicate with those servers, the malware falls back to contacting a server at the IP address 74.207.249.7 ("controlled by an unidentified third party") and then goes into a standby mode in which they no longer attempt to communicate with other C&C servers.
That suggests there is no definite way of distinguishing from outside the computers that are in this standby mode and those that were infected but have now been cleaned. One possibility - not raised by Doctor Web - is that when an infected Mac is rebooted the malware once again attempts to communicate with the 'server of the day' before checking in with the C&C server at that fixed address. Mac owners commonly do not restart their computers for weeks or months on end, and that could cloud the statistics.