I'm puzzled by the use of the word "discovered" in this paragraph from Kaspersky's breathless press release announcing their work on the new Flame malware:
The independent research was initiated by ITU and Kaspersky Lab after a series of incidents with another, still unknown, destructive malware program – codenamed Wiper – which deleted data on a number of computers in the Western Asia region. This particular malware is yet to be discovered, but during the analysis of these incidents, Kaspersky Lab’s experts, in coordination with ITU, came across a new type of malware, now known as Flame.
What does it mean to have "incidents" with an "unknown, destructive malware" which is "yet to be discovered"? What is discovery if it is not the observation of a malware-caused incident?
The Kaspersky "Flame FAQ" is fascinating:
there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.
It will be very interesting to see if any other independent researchers can confirm these findings, as they seem rather unusual on the face of it. The only other reports right now appear to be from the Budapest University of Technology at their web site: http://www.crysys.hu/