Demonstration technology carries out offline sweeps of Linux virtual machine snapshots at large scale to help organisations root out in-memory malware
Microsoft has said it is developing technology capable of carrying out malware sweeps across an entire organisation’s virtualised servers to find previously undetectable malware, including malicous code that resides in volatile memory.
The technology, called Project Freta, is still under development, but Microsoft has made it available for free via a portal to which users can upload system snapshots for analysis.
It is named after Warsaw’s Freta Street, the birthplace of Marie Curie, who created portable X-Ray machines for use by battlefield surgeons in the First World War, Microsoft said.
Mike Walker, senior director of new security ventures at Microsoft Research, said Microsoft’s goal is to allow enterprises to carry out “regular, complete discovery sweeps for undetected malware”.
At present, attackers place a high value on making malware that remains undetected, such as by residing and executing entirely in volatile memory.
That’s because once a malware strain is discovered, it can no longer be re-used and “its value plummets”, Walker said in a blog post.
If a scanning tool could be guaranteed to detect every piece of malware present, attackers would have to continuously redesign their malware, making it “no longer economically viable”.
Existing systems carry out interactions with VMs that can alert malware to the fact that it is being scanned, Walker said, prompting evasion tactics.
Project Freta, by contrast, captures a system snapshot and then analyses everything present in it, in theory guaranteeing that no malware can go undetected, even malware residing in volatile memory.
“Project Freta intends to automate and democratise VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button – no setup required,” he wrote.
In order to take this approach Microsoft “needed to accept the huge data footprint imposed by whole-system memory analysis”, Walker said.
But the result is a system that works offline and doesn’t execute a single instruction on the guest VM, in theory making it impossible for malware to evade.
A minimum requirement was for Project Freta to be able to audit 100,000 VMs in a limited timeframe, including unusual cases such as high-performance machines with more than 100 gigabytes of RAM, Walker said.
In its current form, the Project Freta portal analysis engine examines snapshots of whole-system Linux volatile memory, with more than 4,000 kernel versions supported. At present, the system only uses Hyper-V checkpoints.
Report data is accessible via the portal or through REST or Python APIs.
“Project Freta’s initial release supports API-driven automated use,” Walker said.
The project’s second component is a sensor built for Azure that allows administrators to capture live VM volatile memory snapshots without disrupting execution.
The sensor is currently only available to Microsoft researchers, but Microsoft said it was providing demonstrations.
Walker said the sensor, along with the Freta analysis environment, paves the way toward “cheap, automated memory forensic audits of large enterprises” with more than 10,000 VMs.
The company said it plans to add support for Windows, extend automated program analysis capabilities and experiment with AI-based decision making for novel threat detection.
The analysis portal is currenly open for customers to experiment with, and Microsoft is seeking feedback as it looks to “end the stealthy-malware arms race”.