Re: Wait a minute
This makes the whole tangent about the MS Office key crack pointless.
The point is that the malware installed by the Office keygen could have been the vector for someone other than Kaspersky getting access to the computer to obtain the NSA malware on it.
how does Kaspersky know what to look for, and upload their find to Russia?
Because hacking tools are usually suites that are built up over time, based on earlier revisions, enhanced, added to, and so on. Therefore, as with any suite, they often have common libraries, common blocks of code (so even if not a library, a copy-paste of working exploits from an older version into the newer version) and so on.
Linguistic analysis can quite accurately tell who wrote a post, or series of posts, of novels, essays and so on. Everyone has their own style, grammar, punctuation usage, same repeated spelling errors and whatnot.
The exact same thing applies to programming. Someone could have a favourite error routine that they've developed over years and reuse in new code rather than writing it from scratch - or using someone else's. The number of spaces/tabs used in indentation, language used in comments, variable/function/class naming styles, all can be used to determine who wrote a piece of code.
Since Kaspersky had earlier samples of NSA malware/exploits, they already have a library of those common routines, styles, and so on to search for. So if they find a file that has a chunk of known code (e.g. still using same exploit_0345 library in the new stuff, or an entire code chunk is the same as a sample they already have - but the rest is different) then any virus scanner worth it's name will flag that as a suspect file. And if the user has enabled (or rather, hasn't disabled) the "send suspicious code back to mothership for further analysis" option that most modern AV have - Kaspersky, ESET, Symantec, Windows Defender, and most of the other big-name ones - then that file, and 'surrounding' files, e.g. an entire zip archive if it finds suspicious files in the archive - will be sent back.