1. I assume you're referring to the database of Flashback infected computers Kasperski compiled with their sinkhole approach. Given the fact that the bots regularly contact home, or can be made to do so with appropriate commands, the likelihood that any particular infected Mac is included approaches 100% in a matter of hours as long as it's running and connected to the internet.
2. An estimate subject to the constraints you list is effectively meaningless. To my knowledge Dr. Web was the first to come up with numbers of infected Macs, using a sinkhole approach similar to the one Kasperski used in their confirmation of these numbers. But this was in early April, and candidate Flashback variants have been around for months. Another aspect of this is the size of the drive-by network of WordPress (and perhaps other) sites that redirected its visitors to the Flashback infection sites. That had to be in place and sufficient large to be able to quickly build the Flashback botnet we now have (or had, as people are cleaning up). But this number too is an estimate, albeit one that precedes that of the Flashback botnet by a month or more.
3. Your local Flashback detection via Terminal or script is just that: local, and it looks for the actual spoor of the trojan. Kasperski's UUID-test approach does things in a different way, by checking its database of infected Macs (the ones that called back 'home' or the sinkhole) for the UUID you provide. I wouldn't be surprised if this Kasperski tool may still claim (for some time at least) you're infected after you've cleaned the trojan out of an infected Mac. Meanwhile, the database gets updated continually, and cleaned computers will gradually vanish from its rolls as they stop calling back home (with the same caveat as given under #1 above).
The presence of software that makes the trojan erase itself has been mentioned here before, albeit in passing. More specifically, if you check F-Secure's descriptions (see this post for the links) you'll find MS Office components listed for Flashback.K, and antivirus utilities etc. for Flashback.I. So, to the extent that these F-Secure descriptions are reliable, it's factual.
Last edited by alternaut; 04/12/1202:18 PM. Reason: Added Dr. Web link
