I think it cannot be a coincidence that an organization that has some kind of "internal/state/etc. security" in its name, turns out to be extremely evil, harassing, arbitrarily strict towards deemed suspects and so on. After all, for DHS translated to Russian, KGB is pretty accurate translation.

The visible partition reports whole 1TB. Truecrypt does not "know" about the hidden partition nor tries to protect it. If you store 1TB of data in the visible part, you will damage whatever was stored in that hidden compartment (the hidden part is stored at the very end of the container file).

For example, I do have a file 2GB large. But it is 99% empty, as I store only passwords, private keys, scans of various personal documents etc. there, all together takes up a couple of megabytes. If there was a need, I could put a 1,5TB hidden partition there. I would argue that the container file size was based on some assumptions regarding future content...

If I remember correctly, Stuxnet targeted Windows machines in the first step too. There it infected developer tools and the damage-causing payload did get compiled into programs for those SCADA systems of certain importance. So Windows systems might not have any obvious importance at all, but they play a role of the weakest link surprisingly well.

As an evil virus author, I would add another twist: make the plain-text part of the virus install the font (we know it does so). Few moments later, from within the encrypted code, uninstall the font (we have no clues what that code actually does).

Unsuspecting folks would devise infection detectors, which will give nice "false negatives".

Pity. I was hoping that this would be a clever part of systemic offensive. Like forcing laser printer to release deadly toner fumes by downloading evil curves of this font. Or making its kerning so bad that the users would collapse with severe headaches.

Judging from the infection vector (i.e. USB sticks), I suspect that the targets are off-line, or at least heavily firewalled. Mind you, the target is most probably some military facility, likely in Iran. I don't think navigating to a non-white-listed web page wouldn't raise alarm, from the virus author's point of view an unnecessary complication.

By the way, TFA says that the virus even installs some font. This unusual step confuses me quite a lot. Is it for some kind of "exposed but not obvious" document watermarking. Or is it preparation for some future infection vector? Questions :-(

Does somebody know whether there is that font ("Palida Narrow") available?

One of my guesses is that both the PATH element and the Program Files item are linked to a single application. That way, as long as the application is installed, the payload would be decryptable. The name check suggests that the application is some in-house project, probably not publicly released.

But maybe the "trigger" is an application in certain environment. Then the Program File would determine application presence. Then the expected item of PATH could refer to some network share, mapped disk, e.g. T:\Repository\bin. Such combination would be pretty unique and therefore an ideal "trigger", IMHO.

The trick in this case is that the key is already available at the targeted machine - the virus tries to combine various pairs of %PATH% paths and names from %PROGRAMFILES% and if some combination has an expected checksum, that's the key. To make cryptanalysis a bit more difficult, it seems that the second part of the key is not in plain ASCII. Therefore the "key distribution problem" is nicely solved - if the code runs on targeted system, the key will be easily generated. On any other machine you won't obtain any information about the key.

To continue with recommendations, Lem's final work, Fiasco is a superb book. And for more advanced readers (such as those, who read and liked Foucault's Pendulum by Umberto Eco), there are great novels His Master's Voice and Golem XIV.

I would prefer Titan, along the closing lines of one nice book: "Puppet masters -- the free men are coming to kill you! Death and Destruction!" Now that would be a nice preemptive strike on those parasites :-)

After much research regarding gear for my trips, I came across Eagle Creek stuff, and as for me, they are the best. My beloved Switchback has already suffered plenty of abuse and it still holds together. Not to mention their No Matter What Damage Repair Policy...

I really recommend them, the gear they offer is worth checking! (Now if they made some armored luggage for my camera, I would be really happy.)