Project Freta: Microsoft’s new Linux forensic tool to detect malware and rootkits in the cloud


Microsoft new Project Freta free Linux forensic tool to detect malware & rootkits lurking in clouds

Microsoft’s love affair with Linux is going great guns. Today, Microsoft released its new FREE cloud-based forensic tool called Project Freta. Project Freta is a cloud forensics service that will allow anyone to automatically ferret out malicious software hiding in memory in Linux based cloud infrastructure. Project Freta is more of an enterprise threat detection tool that helps Linux system administrators diagnose their cloud VMs for malware and rootkits.

What is Project Freta?

Project Freta is a free cloud-based threat detection tool developed by Microsoft Research subsidiary, NExT Security Ventures (NSV). The project was named Warsaw’s Freta Street, the birthplace of Marie Curie who brought X-Ray machines to the Battlefield during World War I.  Though it is still in the development stage, Project Freta automates the full-system volatile memory inspection of Linux systems. Microsoft hopes to develop Project Freta as full-fledged cloud-based threat detection tool.

Microsoft is offering Project Freta for free to sysadmins to gather threat intelligence by way of VM snapshots. It involves capturing a memory snapshot of the Hyper-V Linux guest OS. However, the Freta portal can also ingest VMware snapshots too.

“Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button – no setup required,” says Mike Walker, a senior director at Microsoft Research’s New, or NExT, Security Ventures team.

Microsoft said that tool may increase the expenses for producers of stealthy malware, they would be locked into an “expensive cycle of complete re-invention, rendering such a cloud an unsuitable place for cyberattacks.”

The project Freta is open for public access, it is capable of “automatically fingerprinting and auditing a memory snapshot of most cloud-based Linux VMs.”

Key Benefits of project Freta

  • Detect malicious software, malware, kernel rootkits, process hiding, and other intrusion artifacts via agentless operation by operating directly on captured VM snapshots
  • Very easy to use: submit a captured image to generate a report of its content
  • Memory inspection means no software to install, no notice to malware to evacuate or destroy data
  • Designed for automating IR-like discovery tasks directly into a cloud fabric — though volatile memory snapshots captured from an acquisition tool can also be used for bare iron scenarios where virtualization is not available

Project Freta currently consists of an analysis engine that consumes “snapshots of whole-system Linux volatile memory and extracts an enumeration of system objects”, and a sensor built for Azure that lets users move a live VM’s virtual memory to an offline environment for analysis without disrupting execution. It supports more than 4,000 kernel versions, with the tool enterprises can check for everything from crypto miners to advanced kernel rootkits.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments