Also, the Linux kernel, and any other half decent large C program.
Can't tell if you are trolling or ...
From their perspective, I'm sure (over)hyping everything new they analyze as the next 'big deal' helps business even if they are wrong about the details on occasion.
I really want to know what that 0day is, I can't comprehend how hard it would be to find a 0day remote execution on a Windows system
Some exploits like those delivered via browsers attempt to execute code in privileged contexts without any file i/o. There might never have been anything to remove.
Sounds almost like "lean malware" written by a relatively small team using easily available tools and libraries.
"Tool prototyping in the FLAME platform is based on the Lua scripting language. Lua is adopted in FLAME as an extension language: its interpreter is embedded as a library into the measurement agents. On the one hand, the Lua interpreter gives to the scripts running in the agents access to active measurement primitives through a high-level, minimalist API. On the other hand, the measurement agents and the measurement API are implemented in C, preventing significant overheads in the measurement results due to the execution of Lua scripts."
Even better if the scripts can then be updated remotely as well.
All things considered, this is the kind of thing you'd do if you were going to do this long term.
What's next? Shipping the JVM and MariaDB
CamelCase is mingled with upper and lower case VERBOSE_DEFINITIONS separated_by_underscores. This lack of a clear coding style may be visually annoying, but can be added during a final obfuscation step. The unstyled code may not be present in the unobfuscated repo, and does not necessarily indicate the presence of conflicting coding styles on the malware team.
The properties table called flame_props is created and populated inside of a deeply nested if-statement. Are all other branches of this function forced to operate without a valid properties table? This is not an obvious design choice for any programmer who values harmony in a team working on a shared codebase. Perhaps the Lua coder worked alone. Also, this kind of wtf_logic is difficult to insert later as obfuscation.
On lines 2 and 4 of the example, the Flame Lua supervisor appears to be loading text from an external source and eval'ing it as code. Lua distributions have long offered an entire API for managing and loading modules. Breaking a large project into modules is a standard practice. Reinventing a module loading tool, then, is probably not a path to reliability. The module loading code in Lua is a time-tested grab bag of platform-specific heuristics and yet is still a frequent topic of discussion on the mailing list. Given the multi-platform operating requirements of the program, reinventing it doesn't seem like the most robust design decision.
Similarly, the flame_props table is initialized with strings that looks like the names of entries in property tables of other modules. Why is there not a central way to create and populate these tables? Requiring conversion of "string dot string" into a clean table reference before use seems to unnecessarily add danger to the setup code.
Although I keep referring to a possible obfuscation step, I don't see strong evidence for one. The code uses variable names like SUCCESSFUL_INTERNET_TIMES_CONFIG next to l_1_0 and l_1_1. The short names are quite likely to cause new bugs due to typos, yet the long is very descriptive, almost self-documenting. I have seen code like this before -- it came from neglect bordering on malice, not from deliberate obfuscation.
There is plenty more in there.
 "What's in a name?" http://www.lua.org/about.html#name
SQLite is 500kB, Lua is 150kb, zlib is 80kB, libbz2 is 60kB. Together this comes to less than 1MB, not 20MB. You would need an awful lot of libraries like this to get anywhere close to 20MB.
What point are you trying to make exactly?
Although the naming differs it has been noted on several blogs that it is the same malware.
You should still have some kind of comprehensive security solution in place, particularly for a business environment, but use of non-standard software is an effective fail-safe for when your "real" security craps out on you (as it inevitably will).
Also, what if the mail component were used to hide/archive the virus? Hide a virus attachment from someone to themself, then have some bootstrap code (Outlook/email client exploit, perhaps) that loads the email archived virus back onto the comp.
They should do project estimation instead of Security Analysis.
 - http://www.youtube.com/watch?v=CS01Hmjv1pQ
Surely that can't be all-inclusive… is it?
I guess you could include companies like Sony but they were probably excluded for not having the same malicious intent.
I've heard of researchers from one company dumpster diving the competition. A worm (as amateur as a 20mb one ) could easily be the work of those kind. But i think it gets less press than "evil country" "omg world cyber war" ...not that it may not be happening anyway.
(this is besides the point if it is a good or bad idea. In any case, it is certainly seems novel to me)