Viruses like Stuxnet and Duqu are the atom bombs of cyberwarfare, experts say, a key tool in U.S. and foreign military arsenals. But some worry that this new generation of digital weapons could be co-opted by enemy forces -- and used against their creators.
After the Stuxnet virus hit Iran's nuclear power plants in 2010, it was collected and disseminated, falling into the hands of hackers and code-crafters worldwide. Richard Clarke, the former counterterrorism chief, is confident that the U.S. wrote the code -- and may have allowed the U.S.'s greatest cyberweapon ever to leak into enemy hands.
“It got loose because there was a mistake,” Clarke said in an interview with the Smithsonian. "And if you’re a computer whiz you can take it apart and you can say, ‘Oh, let’s change this over here, let’s change that over there.’ Now I’ve got a really sophisticated weapon. So thousands of people around the world have it and are playing with it."
The Stuxnet malware was the culmination of a vast technical and espionage effort that had one target in mind: Iran's nuclear plans. Its success set back the Iranian program for years.
July 13, 2010: Stuxnet is discovered, though few realize what exactly it is.
Nov. 26, 2010: Experts begin to fully understand the implications of the malware.
Oct. 14, 2011: Duqu, the first clone of the Stuxnet virus, is discovered by Symantec researchers.
Feb. 14, 2012: Iran finally disables the Stuxnet virus, experts say.
"And if I’m right, the best cyberweapon the United States has ever developed, it then gave the world for free.”
Call it the boomerang effect -- the weapon you designed to hit others can come right back at you.
And while many still disagree that the U.S. was responsible for Stuxnet, often citing Israel as a prime suspect, the software is now unquestionably out in the wild. What if someone used it against us? Can viruses in general be turned against their masters?
Yes and no, explained Liam O Murchu, a manager of operations at Symantec Security Response, where the firm has tirelessly analyzed Stuxnet and variants such as Duqu.
“From a practical view of what you can actually do, it would be very hard to take Stuxnet, reimage it, and target someone new without the source code,” O Murchu told FoxNews.com. “So from that point of view, it’s not so dangerous to have Stuxnet out in the wild right now. Even if you get your hands on it, you don’t have the source code to refashion it to do something else.”
Retired general and former CIA chief Michael Hayden thinks the issue is far more black and white.
“There are those out there who can take a look at this ... and maybe even attempt to turn it to their own purposes," he said in an interview with the CBS television show "60 Minutes" earlier this month.
"The best cyberweapon the US has ever developed, it then gave the world for free."
- Former counterterrorism chief Richard Clarke
Indeed, most countries today have the ability to take apart and reassemble a virus or any other bit of code. It's a common practice called code-reuse, said Chester Wisniewski, a senior security Advisor at security firm Sophos.
"We see code-reuse everywhere all the time. If someone else did something like [Stuxnet or other viruses] and it worked, why not reuse it?" he told FoxNews.com.
"Most advanced countries in the world have I’m sure the capability of pulling something like that off," Wisniewski added.
While rejiggering malware may or may not be simple, its existence by definition reduces the barrier of entry, O Murchu said.
“The real danger is that it’s essentially a roadmap on how to conduct these kinds of attacks,” O Murchu told FoxNews.com. “It shows all the components you need, the expertise you need, and how you would approach doing an operation like this, how much time and money spent.”
The "roadmap" concept may present the biggest danger of boomeranging, experts agreed.
"Taking something like Stuxnet literally as a piece of code that you could modify and use, I couldn’t see. Using it as a roadmap, however? Absolutely."
Like the virus that causes the flu each season, a vaccine can prevent most variants of the disease -- but inevitably, something unexpected develops.
"We will stop anything that’s a direct variant of Stunxet," Wisnewski told FoxNews.com, "but that won’t stop something in the style of Stuxnet."
“People looking at Stuxnet can figure out all of this information,” O Murchu said. “Stuxnet shows that it can be achieved.”
Jeremy A. Kaplan is Science and Technology editor at FoxNews.com, where he heads up coverage of gadgets, the online world, space travel, nature, the environment, and more. Prior to joining Fox, he was executive editor of PC Magazine, co-host of the Fastest Geek competition, and a founding editor of GoodCleanTech.