Today @pinkflawd and @headhntr gave a wonderful talk at Defcon about state sponsored attack and the (bad)state of attribution.
Amongst the many great things they talked about, for me the “tipping point” was the revelation of rusty and hidden campaign dubbed Cheshire Cat targeting Windows NT systems using the notorious ~D prefix which tries to avoid only kaspersky AV.
Quick look at the samples provided in their keynote showing that (as usual) none of the AV vendors detected the malwares during that time.
If (like me) you wanna find out what its all about feel free to download them from here: https://s3-us-west-2.amazonaws.com/grandfatherstuxnet/CheshireCat.7z password: standard industry one.
Let me know what you find out (:
Update : Part of the research and key note is now on blackhat website - https://www.blackhat.com/docs/us-15/materials/us-15-MarquisBoire-Big-Game-Hunting-The-Peculiarities-Of-Nation-State-Malware-Research.pdf
Full keynote is now (26/08/2015) live on youtube: