Is the US government helping cyber crooks?

As the U.S. government defends our interests and technology in the escalating global cyberwar, could it inadvertently be handing cyberweapons to criminals?

Last week, security firm Kaspersky hinted that such a nightmare situation may have taken one step closer to reality. Kaspersky revealed that a sophisticated program had been used to record instant messaging and social networking logins and bank account information and passwords -- including targets such as Citibank and PayPal accounts -- on some 2,500 infected PCs.

It may have been based on the Stuxnet cyberweapon widely attributed to the U.S.

This program, dubbed Gauss, raised alarms for its financial focus: Rather than trying to disrupt nuclear lab equipment or steal cruise missile plans it seemed devised for monetary gain, the very goal of cybercriminals worldwide.

"There's no doubt in our mind that the authors [of Gauss] needed to have access to that [Stuxnet] source code to create this malware," Roel Schouwenberg, senior researcher at Kaspersky Lab, told "Therefore, we're convinced this is coming from the same factory which created Stuxnet."

More On This...

"The only alternative is that the source code has been leaked or stolen, which is an extremely scary scenario."

'We're convinced this is from the same factory which created Stuxnet. The only alternative is an extremely scary scenario.'

— Roel Schouwenberg, senior researcher at Kaspersky Lab

Millions of dollars were invested in viruses like Stuxnet, which was designed by the United States and Israel, according to The New York Times, to infiltrate and then disrupt Iran's nuclear program. If that cutting-edge, expensive software fell into the wrong hands, and hackers were able to reverse engineer the program, then banks, brokerages, and businesses all over the planet could be vulnerable.

Unfortunately, once a program like Stuxnet or its derivative Flame is released on the Web, it is then "in the wild," meaning that a determined crook -- or other espionage agency -- could get his hands on it and turn it into his own weapon of choice.

Contrast this situation to the days of the Cold War, when a foreign power would have to physically steal a fighter jet, James Bond-style, to uncover an enemy's secret technology. Today, simply releasing a spy program on the Net could mean that one is essentially handing over the blueprints to your country's latest cyberstealth technology.

That possibility is "scary" because of the level of sophistication of this espionage software. For example, Flame can not only record every keystroke on a computer but also grab screen images and turn on a microphone, eavesdropping on conversations in the room or during an online call.

Programs like Flame are also difficult to trace and difficult to detect because they contain multiple self-destruct mechanisms like a modern-day "Mission Impossible" tape recording. There's also the challenge of determining exactly who created it or what information the program is seeking because portions of the software are encrypted to such a degree that Kaspersky Lab has been unable to crack it.

"Malware overall is an arms race," noted Michael Sutton, vice president of security research at Zscaler, pointing out that the techniques used by Flame and other programs "will certainly be studied and adapted by other malware authors that may well be involved in cybercrime."

The extreme efforts taken by the software to conceal Gauss' source mean it's difficult to say who's responsible -- cybercrooks or cyberspies -- but this very feature also is a potential silver lining: If security researchers can't crack its encryption, then it's unlikely that any hackers can copy the software. (Kaspersky is now petitioning other researchers to help it crack Gauss.)

There is at least one reason to think that Gauss is the work of government espionage and not crooks looking to skim millions from bank accounts. Most of the infected computers -- but by no means all -- were in the Middle East and most of the targeted banks were in Lebanon. Some of those banks have been accused of laundering money for drug smugglers and terrorists.

Whoever developed the software may have simply been looking for terrorists, following Deep Throat's advice to "Follow the money."

Terrorist networks tend to trade information via SMS and funnel money through online banks. Tracing the flow of money could lead a government to a terrorist's physical location and reveal networks of operatives.

Unfortunately, the malware genie may already be out of the bottle. It's been demonstrated time and again that just about any encryption scheme can be broken -- given the proper amount of effort and computing resources. So it may only be a matter of time until criminals -- or other governments -- have their hands on espionage-grade software.

If they don't already.

Follow John R. Quain on Twitter @jqontech or find more tech coverage at