The internet is, on balance, a very hostile place. More than 70 percent of all email traffic is spam, and a fair portion of that is malware and phishing attempts. One 2012 census counted 1.5 billion browser-based malware attacks. A recent Team Cymru map of globally compromised computers showed nearly all of Italy lit up, with southeastern Europe glowing from the sheer quantity. None of this is particularly dangerous if you take modest measures to protect your computer, but it's a strange state of nature — and an expensive one. Most appraisals put the global cost of malware in the tens of billions. Antivirus solutions mostly protect individual nodes or networks, shifting the attacks around but doing little to combat the core of the issue. Larger companies can keep blacklists and spread best practices, but they’re limited solutions. Every time a botnet gets shut down, a new one springs up to fill the gap, slightly smarter than the one before.
ZeroPoint sits on top of the network, at the carrier level
As a result, many in the malware world are looking for a better line of defense — and increasingly, they're looking to telecom carriers as the answer. This fall, the Canadian SecDev Group took the stage at a Google Ideas conference to unveil their latest answer, a machine learning program known as ZeroPoint. Instead of sitting on your computer or your email server, ZeroPoint sits on top of the whole network, at the DNS or carrier level. (For the trial version, they partnered with Bell Canada.) From that vantage, it sees everything, including undiscovered variants and zero-day exploits that have never been spotted in the wild.
"Things that look like anomalies in a small network suddenly start to become patterns."
The one thing all malware has in common, according to SecDev, is that it has to phone home. And since botnet traffic moves differently from regular computer traffic, Zeropoint can spot compromised computers from watching the flow of packets through the network. "Things that look like anomalies in a small network, when you move up to the carrier level suddenly start to become patterns," says SecDev CEO Rafal Rohozinski. A network like Bell Canada processes a massive amount of packets in a given day, so the system relies on machine learning to narrow it down, whitelisting some traffic, blacklisting other parts, and focusing on the unclassifiable gray area where the more sophisticated malware can be singled out. If you're looking for undiscovered threats, a top-down view of the network turns out to be a powerful tool.
"You have to trust that the box is doing what they say it's doing."
In fact, there’s already concern that the system might be too powerful. That same network-level access is often used to track people across the web, whether it’s the NSA or the open-market surveillance products sold by companies like FinFisher. There’s no guarantee Zeropoint couldn’t be used for the same thing. SecDev says the system only tracks packet movements, but it would be easy for a government agency or an unscrupulous carrier to see what the packets are carrying. "The million-dollar problem here is, you have to trust that the box is doing what they say it's doing," says the ACLU’s Christopher Soghoian. After months of NSA leaks, that trust may be in short supply.
Earning that trust is particularly hard because so much of the research work has to be done by hand. Once the Zeropoint algorithm has separated out obviously good and obviously bad traffic, the team takes the algorithmic recommendations and starts on something that looks more like detective work. SecDev chief operating officer Dave McMahon gave the example of a group of Canadian computers sending simultaneous weekly packets to a central hub in Morocco. Is that a botnet, or just a multinational network? Figuring it out requires patience and time, and machine learning is still ill-suited to the task. As McMahon says, "It's easy to teach a computer to play chess, but it's hard to teach a computer to play poker."
"It's easy to teach a computer to play chess, but it's hard to teach a computer to play poker."
It’s particularly tricky for computers because the botnets can be surprisingly well disguised. The more sophisticated the malware, the harder it is to suss out the traffic pattern, McMahon says, and the more human ingenuity is required. The majority of botnets are used for credit card theft, which usually only has a few days of shelf life before the card company catches up, so they don’t bother covering their tracks. The more complicated networks are the Advanced Persistent Threats, the state-funded actions like Stuxnet that are designed to go undiscovered for years. Zeropoint has seen them most often in Tibetan and Uighurian communities, which are frequently targeted by China and have few resources to protect themselves. The attacks are some of the most sophisticated in the world, relying on unpublished zero-day exploits and often targeting specific systems. Tracking their signals back to home base is often the only way to spot them.
"The US Government is in the malware business."
The next step for ZeroPoint, according to Rohozinski, is pitching to governments. It’s a good pitch: If the US wanted to end malware entirely, the government could easily push for something like ZeroPoint in domestic networks, and telecoms would be unlikely to push back. Those billions of dollars lost to scammers and credit card fraud might disappear, but the privacy problems would only grow more severe. Suddenly, the government would have a direct line to the heart of web traffic. At the same time, it would be easy for a government-led effort to just become one more weapon in an escalating cyberwar. "The US government is in the malware business," Soghoian says, referencing Stuxnet and Flame, two targeted viruses reportedly developed by the US. "Are devices installed by Western governments going to look for Western malware? And if not, how effective is a device that's only going to look for malware from China?"
After widespread NSA cooperation, it would be hard for any telco to be seen as acting independent from the government’s wishes, and no one else has the access to make the program work. The result is a tough technological problem, but an even bigger political one. It takes access to secure a network, and that access comes with a lot of power. As it turns out, the biggest problem with malware may be that we don’t trust anyone enough to fix it.