Jump to content

Microsoft Launches Free Linux Forensics and Rootkit Malware Detection Service called Project Freta


Lurker

Recommended Posts

Microsoft has announced a new free-to-use initiative aimed at uncovering forensic evidence of sabotage on Linux systems, including rootkits and intrusive malware that may otherwise go undetected.

rootkit.jpg

 

The cloud offering, dubbed Project Freta, is a snapshot-based memory forensic mechanism that aims to provide automated full-system volatile memory inspection of virtual machine (VM) snapshots, with capabilities to spot malicious software, kernel rootkits, and other stealthy malware techniques such as process hiding.

The project is named after Warsaw's Freta Street, the birthplace of Marie Curie, the famous French-Polish physicist who brought X-ray medical imaging to the battlefield during World War I.
"Modern malware is complex, sophisticated, and designed with non-discoverability as a core tenet," said Mike Walker, Microsoft's senior director of New Security Ventures. "Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button — no setup required."

The objective is to infer the presence of malware from memory, at the same time gain the upper hand in the fight against threat actors who deploy and reuse stealthy malware on target systems for ulterior motives, and more importantly, render evasion infeasible and increase the development cost of undiscoverable cloud malware.
To that effect, the "trusted sensing system" works by tackling four different aspects that would make systems immune to such attacks in the first place by preventing any program from:

    Detecting the presence of a security sensor prior to installing itself
    Residing in an area that's out of view of the sensor
    Detecting the sensor's operation and accordingly erasing or modifying itself to escape detection, and
    Tampering with the sensor's functions to cause sabotage


"When attackers and defenders share a microarchitecture, every detection move a defender makes disturbs the environment in a way that is eventually discoverable by an attacker invested in secrecy," Walker noted. "The only way to discover such attackers is to remove their insight into defense."

Open to anyone with a Microsoft Account (MSA) or Azure Active Directory (AAD) account, Project Freta lets users submit memory images (.vmrs, .lime, .core, or .raw files) via an online portal or an API, post which a detailed report is generated that delves into different sections (kernel modules, in-memory files, potential rootkits, processes, and more) that can be exported via JSON format.
Microsoft said it focused on Linux due to the need for fingerprinting operating systems in the cloud in a platform-agnostic manner from a scrambled memory image. It also cited the increased complexity of the project, given the large number of publicly available kernels for Linux.

This initial release version of Project Freta supports over 4,000 Linux kernels, with Windows support in the pipeline.

It's also in the process of adding a sensor capability that allows users to migrate the volatile memory of live VMs to an offline environment for further analysis and more AI-based decision-making tools for threat detection.

"The goal of this democratization effort is to increase the development cost of undiscoverable cloud malware toward its theoretical maximum," Walker said. "Producers of stealthy malware would then be locked into an expensive cycle of complete re-invention, rendering such a cloud an unsuitable place for cyberattacks."

Project Freta:

https://freta.azurewebsites.net/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

Disable-Adblock.png

 

If you enjoy our contents, support us by Disable ads Blocker or add GIS-area to your ads blocker whitelist