Why is the program several MBs of code? What functionality does it have that could make it so much larger than Stuxnet? How come it wasn’t detected if it was that big?
The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module. Additionally, over unreliable networks, downloading 100K has a much higher chance of being successful than downloading 6MB.
Do you agree with that?
Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
I don't understand it. What is windows APC and its relationship to code injection? What about Winlogon.exe and injecting to explorer.exe ?
Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
Does it mean it holds attack modules in database?
Thanks in advance!