[CWuestefeld]

From the Kaspersky link:

I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk.

I don't get it: what's the risk here? As far as I can see, the only risk is that their malware is removed from the victim machines. The risk of blowback to the perpetrators is vanishingly small as far as I can see.

[r721]

Well, the malware used some quite innovative techniques, for example, consider this quote from Ars Technica article:

>Kaspersky researchers have described it as a "0-day trampoline" because it allowed their malicious modules to jump directly into the Windows kernel, the inner part of the operating system that has unfettered access to system memory and all external devices. The trampoline exploit allowed the malware to bypass digital signature requirements designed to prevent the loading of malicious code into the OS kernel space.

>"What is really impressive here—what I call really amazing—is the entire malware platform depends on this zero-day to work," Raiu said. "So if there is no zero day to jump into kernel mode this doesn't work."

Now this will be patched, and they will need something completely different for the next framework.

[AnimalMuppet]

Follow that thought. If the risk was exposing these techniques, and exposure meant that the attackers would need new techniques, and the attackers were willing to take the risk, then...

Then they probably already have their new techniques all ready to go. Maybe even deployed in the field.

[r721]

Yeah, this is actually addressed in the further paragraphs:

>Raiu went on to say the reliance on the highly unusual vulnerability is one of the things underscoring Duqu developers' extraordinary talent and the plentiful number of additional unpatched security bugs with the same unusual capabilities they likely have at their disposal.

>"These guys are so confident to develop their entire platform based on this zero day it means if they get caught and this zero day is patched they probably have another one they can use, which I would say is a pretty scary thought," he said. "Nobody develops an entire malware platform based on just one simple assumption that this zero day will work forever, because eventually it will be discovered and patched. And when it is patched your malware is not going to work anymore. I think that's also very scary and quite impressive."

Still the attackers' resources are not unlimited - they lost some development time, and maybe some unique opportunities which were possible only with this particular zero-day.

[mark-r]

Perhaps they also knew that other bad actors had already discovered this particular 0-day and wanted it to be outed?

[stirlo]

^ This seems like a great way to perform a risky operation and simultaneously stop your adversaries.

[mentat]

> Now this will be patched, and they will need something completely different for the next framework.

Which is probably already developed, tested, and deployed.

[hcrisp]

One plausible reason is that they wanted to see if some other as yet undisclosed attack has hit Kaspersky's radar. Peek into the detective's briefcase to see if he is investigating something that may expose your bigger caper. There is low risk to being found for your true caper.

[pja]

At the very least, you use up the particular 0-day attacks you used to gain access to the system - since they had to keep re-using them in order to re-infect machines over reboots there was a pretty high chance that once detected, Kaspersky would discover the exploits being used. Apart from entities like the NSA themselves you probably couldn’t choose a more security aware target.

Any large nation state probably has a nice cache of 0-days ready to roll out at any given time, but they’re still a limited resource that could be used to attack other targets. Attacking Kaspersky pretty much guarantees that the 0-days are blown once the infiltration is discovered.