The malware is in the form of a 64-bit kernel-level driver, which because it will be loaded into such a secure part of the operating system (the kernel), must be signed digitally and verified. That's what the stolen key/cert is about -- it "validates" to Windows that the malware-infected driver is okay to load.
So in that sense the malware has a persistent presence, in the loadable driver, on the machines where it loads on boot.
But the driver is loaded into special machines on boot -- gateways, routers, firewalls -- that specifically have the internet on one side and the corporate local network on the other side. This means the driver gets to see, filter, change, redirect, or block any network traffic it wants to. It also -- and this is important -- can dynamically supply the infected driver over the corporate network to any/all other machines inside.
And in that way, those machines do NOT have a persistent, disk-resident copy of the malware.
Or at least, that's the picture I get from this Kaspersky release:
https://securelist.com/blog/research/70641/the-duqu-2-0-persistence-module/If you read that and get a different picture, by all means write back and correct my misapprehension. Thanks!
Thanks for the ping. It just keeps getting more interesting. I thought it was the Israeli’s or the US, now I’m questioning that conclusion. Maybe it’s the Chicoms, or maybe this is another clue designed to divert and confuse?
bfl
Thanks for the additional information. I must admit that I was a bit confused as to how the memory-resident portion of the virus was able to get there without being present on the machine's hard drive.