Don’t fret, try Freta
Microsoft Research has launched a free service designed to detect the presence of rootkits and advanced malware in the memory snapshots of live Linux systems.
Project Freta’s ambitious goals aim to automate and democratize virtual machine (VM) forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware on request, at the push of a button.
Such a service, if reliable, would improve over time at detecting the tell-tale signs of sabotage, therefore making it progressively more difficult (and expensive) for miscreants to develop malware crafty enough to escape detection. All this leads to bright, sunlit uplands – according to Microsoft.
A blog post from Microsoft Research expands on these goals: “What would happen if a commercial cloud could guarantee the capture of malware, no matter how expensive or exotic, in volatile memory?
“Producers of stealthy malware would then be locked into an expensive cycle of complete re-invention, rendering such a cloud an unsuitable place for cyber-attacks.”
Full memory audit
This new project would represent a big step up from currently available cloud-based technology.
“No commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness,” Mike Walker, senior director of New Security Ventures at Microsoft explains.
The prototype technology, accessible through the Project Freta portal, allows sysadmins or other security professionals to explore sample memory snapshots or upload their own.
Project Freta already supports over 4,000 Linux kernels. Windows support is on the roadmap.
Early reaction to the project has been largely positive.
For example, software engineer Josh Avraham said on Twitter: “Just started playing with Freta and the demo images. This is SERIOUSLY cool and powerful. I see that you report UNIX sockets, is there any interest in reporting other types of IPC like Netlink or shared memory?”
What’s in a name?
The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, described by Microsoft Research as a “pioneer of battlefield imaging”.
That may be, but Curie is, of course, better known as the first person to win the Noble prize twice (in physics and chemistry) for her pioneering work into radioactivity.
READ MORE Microsoft extends protective shield of Defender to Linux and Android devices