Categories
Microsoft's Project

Microsoft’s Project Freta: This new free service spots rootkits lurking in cloud VMs | ZDNet

Microsoft has unveiled Project Freta, a potential future virtual-machine (VM) forensics service that will allow anyone to automatically ferret out malicious software hiding in memory on cloud infrastructure. But unlike Microsoft’s commercial security services and innovations for Microsoft Defender Advanced Threat Protection (ATP), Project Freta comes from Microsoft Research and for now is classified as a…

Microsoft has introduced Project Freta, a potential future virtual-machine (VM) forensics support that will enable anyone to automatically ferret out malicious applications concealing in memory on cloud computing infrastructure. 

But unlike Microsoft’s commercial safety services and innovations for Microsoft Defender Advanced Threat Protection (ATP), Project Freta comes from Microsoft Research and for today is classified as a’tech demonstration’.

“Project Freta intends to automate and democratize VM forensics into a point where each user and each business can sweep volatile memory for unknown malware with the push of a button — no installation required,” says Mike Walker, a senior director at Microsoft Research’s New, or NExT, Security Ventures team

Freta for the time being is a totally free, cloud-based service that provides”automated full-system volatile memory review of Linux systems” by means of VM snapshots. It involves capturing a memory picture of this Hyper-V Linux guest OS. On the other hand, the Freta portal can also ingest snapshots too. 

Users would log in the Job Freta portal and submit pictures of the Linux OSs used in a specific Azure region. The idea is that users can get a memory dump from a VM where the server stealthily requires a memory dump from a guest without modifying document contents or its RAM. 

Project Freta’s goals appear lofty but perhaps not out of reach. Can Microsoft ensure that Azure will catch all malware, such as rootkits hiding on hardware in Azure in volatile memory? Walker considers achieving this would make it too pricey for malware manufacturers to produce other malware and rootkits for the cloud and expects so. 

He notes in the cloud, the hypervisor is the important barrier that an attacker must break through to understand whether they have been captured by a security sensor. If the attacker pierce that barrier, as forensic investigators demonstrated was possible in 2018, the attacker might, as an example, self-destruct to prevent discovery. 

The project Seems to be consistent with the aims of recent inventions in Microsoft Defender ATP targeting kernel rootkits and fileless malware on Windows 10 PCs and servers, but with a focus on forensics in the cloud.  

As Walker notes, Project Freta aims to provide what no people cloud now supplies. “While snapshot-based memory forensics is a discipline now in its second decade, no industrial cloud has provided clients the capability to perform full memory audits of thousands of virtual machines (VMs) without intrusive catch mechanics and a priori forensic readiness.”

The project’s analysis portal can currently automatically fingerprint and audit a memory picture of”most cloud-based VMs”, with more than 4,000 kernel models confirmed. Project Freta could spell difficulty if all goes well during the prototype. 

Project Freta generates a report via the portal in Addition to its own REST and Python application programming interfaces.   

Job Freta currently contains an analysis engine that absorbs”snapshots of whole-system Linux volatile memory and extracts a enumeration of program items”, along with a sensor constructed for Azure that allows users move a dwell VM’s virtual memory to an offline environment for evaluation without interrupting execution. 

“Completed at the winter of 2019, this sensor capacity is currently available to Microsoft investigators and isn’t fielded to any of our commercial clouds — executive briefings and demos are available,” explains Walker. 

“This sensor, coupled with the Freta evaluation environment, shows a path to economical, automated memory forensic audits of large enterprises (10,000+ VMs).”

%%item_read_more_button%percent