Microsoft launches Project Freta to detect malware in Linux kernels

Microsoft has revealed a new anti-malware service by the name of Project Freta. The company describes it as a "free service from Microsoft Research for detecting evidence of OS and sensor sabotage, such as rootkits and advanced malware, in memory snapshots of live Linux systems".

Project Freta is cloud-based, and the memory forensics tool was created by the NExT Security Ventures (NSV) team in Microsoft Research.

See also:

• Microsoft takes another step towards killing off the Control Panel in Windows 10
• Microsoft blocks users from upgrading to Windows 10 May 2020 Update because their PC settings aren't supported
• How to enable the new Start menu in Windows 10

The tool works by capturing an image of the operating system running in a virtual machine which can then be uploaded to the cloud for analysis. At the moment, four memory images are supported: Hyper-V Memory Snapshot (.vmrs files), LiME image (.lime files), Elf Core Dump of Physical Memory (.core files) and Raw Physical Memory Dump (.raw files). With no need for configuration, Project Freta allows users to sweep volatile memory for unknown malware with the push of a button.

Writing about the project, Mike Walker, senior director of new security ventures at Microsoft, says:

As a technology demonstration, Project Freta is opening public access to an analysis portal capable of automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs; over 4,000 kernel versions are supported automatically. Hyper-V checkpoint files captured from a modern enterprise can be searched for everything from cryptominers to advanced kernel rootkits. This prototype previews an exciting future option for cloud consumers: transitioning from boutique forensic consulting services to automated malware discovery built into the bedrock of a commercial cloud.

Project Freta has been two years in the making, and the different approach it takes to malware detection means that it is far more likely to detect malicious code. Thanks to the way the tool works, malware is not alerted to the fact that any form of scan is taking place, and it is therefore unable to hide. Microsoft explains:

The Project Freta analysis engine consumes snapshots of whole-system Linux volatile memory and extracts an enumeration of system objects. Some kernel hooking identification is performed automatically; this can be used by analysts to detect novel rootkits.

Documentation for Project Freta is available here, while the analysis portal is available in prototype form for public use at https://freta.azurewebsites.net.