According to Dr. Web, counts by others were incorrect because of how the malware calculates the locations of command-and-control (C&C) servers, and how it communicates, or tries to, with those domains.

Dr. Web said it had sinkholed the primary Flashback C&C domains at the beginning of the month, and that after an infected Mac asks those servers -- controlled by Dr. Web -- for instructions, they then reach out to another domain.

Dr. Web said it did not know who controlled that follow-up domain, but O Murchu suspected it is another security company or researcher.

But Dr. Web did know what happens next in Flashback's complex communication scheme.

"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec].