[r721]

Well, the malware used some quite innovative techniques, for example, consider this quote from Ars Technica article:

>Kaspersky researchers have described it as a "0-day trampoline" because it allowed their malicious modules to jump directly into the Windows kernel, the inner part of the operating system that has unfettered access to system memory and all external devices. The trampoline exploit allowed the malware to bypass digital signature requirements designed to prevent the loading of malicious code into the OS kernel space.

>"What is really impressive here—what I call really amazing—is the entire malware platform depends on this zero-day to work," Raiu said. "So if there is no zero day to jump into kernel mode this doesn't work."

Now this will be patched, and they will need something completely different for the next framework.

[AnimalMuppet]

Follow that thought. If the risk was exposing these techniques, and exposure meant that the attackers would need new techniques, and the attackers were willing to take the risk, then...

Then they probably already have their new techniques all ready to go. Maybe even deployed in the field.

[r721]

Yeah, this is actually addressed in the further paragraphs:

>Raiu went on to say the reliance on the highly unusual vulnerability is one of the things underscoring Duqu developers' extraordinary talent and the plentiful number of additional unpatched security bugs with the same unusual capabilities they likely have at their disposal.

>"These guys are so confident to develop their entire platform based on this zero day it means if they get caught and this zero day is patched they probably have another one they can use, which I would say is a pretty scary thought," he said. "Nobody develops an entire malware platform based on just one simple assumption that this zero day will work forever, because eventually it will be discovered and patched. And when it is patched your malware is not going to work anymore. I think that's also very scary and quite impressive."

Still the attackers' resources are not unlimited - they lost some development time, and maybe some unique opportunities which were possible only with this particular zero-day.

[mark-r]

Perhaps they also knew that other bad actors had already discovered this particular 0-day and wanted it to be outed?

[stirlo]

^ This seems like a great way to perform a risky operation and simultaneously stop your adversaries.

[mentat]

> Now this will be patched, and they will need something completely different for the next framework.

Which is probably already developed, tested, and deployed.