Microsoft has unveiled a new project, dubbed Project Freta, for the discovery of malicious code in operating system memory snapshots.
The Project Freta is a cloud-based service that allows users to collect forensic evidence of attacks on Linux systems, including the artifacts related to rootkits and other sophisticated malware. The project currently only supports Linux systems, but Microsoft will add in the future the support for investigation on Windows systems.
This initial release of the Project Freta supports over 4,000 Linux kernels.
The name comes from the Warsaw’s Freta Street where Marie Curie was born, she brought X-ray medical imaging to the battlefield.
“While snapshot-based memory forensics is a field now in its second decade, no commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness.” reads the project description. “Just as yesteryear’s film cameras and today’s smartphones have similar megapixels but vastly different ease of use and availability, Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.”
Project Freta is a snapshot-based memory forensic solution that was designed to automate full-system volatile memory inspection of virtual machine (VM) snapshots.
According to Microsoft, the solution is transparent to the malware that is not able to detect the sensor before starting the infection chain, this means that evasion techniques implemented by the malicious codes are ineffective.
The project analyzes service looks at processes, global values and addresses, in-memory files, debugged processes, kernel components, networks, ARP tables, open files, open sockets, and Unix sockets.
Project Freta is available through a portal that allows users to upload their operating system images for analysis. The platform produces results that can be accessed directly on the portal or through REST and Python APIs.
To that effect, the “trusted sensing system” works by tackling four different aspects that would make systems immune to such attacks in the first place by preventing any program from:
In addition to adding Windows support, Microsoft plans on extending analysis capabilities and implementing AI-based decision-making for detecting new threats.
“Project Freta’s second component for achieving trusted sensing is a sensor built for Azure that allows operators to migrate the volatile memory of live virtual machines to an offline analysis environment without disrupting execution,” concludes the post. “Completed in the winter of 2019, this sensor capability is currently only available to Microsoft researchers and is not fielded to any of our commercial clouds—executive briefings and demos are available. This sensor, coupled with the Freta analysis environment, demonstrates a path to cheap, automated memory forensic audits of large enterprises (10,000+ VMs).”
The documentation for Project Freta is available here.
(SecurityAffairs – Freta project, malware)