[FDSGSG]

That sounds reaaally unlikely. If the malware shipped a mysql client the NSA would definitely be able to pop the mysql server it connects to.

[stevehawk]

the point wasnt whether or not they could or did. the point was that it could be inferred based on what sql client the malware client was using without ever touching the sever.

[FDSGSG]

It is extraordinarily unlikely that the malware would ship with a mysql client or talk mysql with the C2

If it does, that's an easy claim to prove.

[enkid]

Read the document. They have the server software. They have configuration files for the server, they know how it processes communication, they know how it generates UUID's. They have the server software.

[dclusin]

Why RTFA when I can make baseless speculations? :D