"Ralph Langner, a prominent Stuxnet researcher, he estimated that it took five to ten developers around six months to create it, so probably less than a few million dollars," he said in a to Security Summit 2011 (MP3) in South Africa last year.

Gray had run these estimates past "a few people who would know", and he reckons they said Stuxnet would have been "significantly cheaper".

Flame is 20 times the size of Stuxnet, we're told, or 40 times if all its modules are loaded. But as Sophos senior technology consultant Graham Cluley points out, that's just a -- and Flame seems to be coded in a way that would naturally result in bloat.

For the sake of my argument, I'll be conservative and guess that Flame took 10 person-years to write. Call it $5 million, given typical defence-contractor margins.

Mikko Hypponen, F-Secure's chief research officer, told the AusCERT conference earlier this month that there's literally hundreds of US malware-writing jobs being advertised today with US defence contractors, and presumably hundreds in all the other technologically-advanced nations too.