Microsoft Project Freta Looks To Eradicate Undetected Malware

Microsoft has said it is developing technology capable of carrying out malware sweeps across an entire organisation’s virtualised servers to find previously undetectable malware, including malicous code that resides in volatile memory.

The technology, called Project Freta, is still under development, but Microsoft has made it available for free via a portal to which users can upload system snapshots for analysis.

It is named after Warsaw’s Freta Street, the birthplace of Marie Curie, who created portable X-Ray machines for use by battlefield surgeons in the First World War, Microsoft said.

Mike Walker, senior director of new security ventures at Microsoft Research, said Microsoft’s goal is to allow enterprises to carry out “regular, complete discovery sweeps for undetected malware”.

Sensor evasion

At present, attackers place a high value on making malware that remains undetected, such as by residing and executing entirely in volatile memory.

That’s because once a malware strain is discovered, it can no longer be re-used and “its value plummets”, Walker said in a blog post.

If a scanning tool could be guaranteed to detect every piece of malware present, attackers would have to continuously redesign their malware, making it “no longer economically viable”.

Existing systems carry out interactions with VMs that can alert malware to the fact that it is being scanned, Walker said, prompting evasion tactics.

Project Freta, by contrast, captures a system snapshot and then analyses everything present in it, in theory guaranteeing that no malware can go undetected, even malware residing in volatile memory.

The system can search for “everything from cryptominers to advanced kernel rootkits“, Walker said.

‘No setup’

“Project Freta intends to automate and democratise VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button – no setup required,” he wrote.

In order to take this approach Microsoft “needed to accept the huge data footprint imposed by whole-system memory analysis”, Walker said.

But the result is a system that works offline and doesn’t execute a single instruction on the guest VM, in theory making it impossible for malware to evade.

A minimum requirement was for Project Freta to be able to audit 100,000 VMs in a limited timeframe, including unusual cases such as high-performance machines with more than 100 gigabytes of RAM, Walker said.

In its current form, the Project Freta portal analysis engine examines snapshots of whole-system Linux volatile memory, with more than 4,000 kernel versions supported.  At present, the system only uses Hyper-V checkpoints.

Report data is accessible via the portal or through REST or Python APIs.

Automation

“Project Freta’s initial release supports API-driven automated use,” Walker said.

The project’s second component is a sensor built for Azure that allows administrators to capture live VM volatile memory snapshots without disrupting execution.

The sensor is currently only available to Microsoft researchers, but Microsoft said it was providing demonstrations.

Walker said the sensor, along with the Freta analysis environment, paves the way toward “cheap, automated memory forensic audits of large enterprises” with more than 10,000 VMs.

The company said it plans to add support for Windows, extend automated program analysis capabilities and experiment with AI-based decision making for novel threat detection.

The analysis portal is currenly open for customers to experiment with, and Microsoft is seeking feedback as it looks to “end the stealthy-malware arms race”.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Uber, Lyft Drivers Classified As Employees, Judge Rules

Gig economy change. Judge in California rules drivers for Uber and Lyft are employees, and…

12 hours ago

Tim Cook Now A Billionaire After Apple Share Surge

Welcome to the club. CEO Tim Cook now said to be a billionaire after almost…

14 hours ago

Police Use Of Facial Recognition Breached Privacy, Court Rules

Milestone ruling. The UK Court of Appeal rules use of automatic facial recognition (AFR) tech…

15 hours ago

Trump Administration Announces 5G Spectrum Auction

5G growth. The White House has announced a spectrum auction to strengthen “the United States’…

17 hours ago

Toshiba Confirms Exit From Laptop Sector

Japanese conglomerate sells its final stake in PC maker Dynabook, marking the end of 35…

18 hours ago

Researchers Uncover Stuxnet-Style Flaw In Windows

The zero-day vulnerability affects the same Windows component used by Stuxnet to attack critical infrastructure…

2 days ago