Recently, Microsoft Research launched a free service, Freta, designed to help users detect the presence of rootkits and advanced malware in real-time Linux system memory snapshots.
The goal of the Freta project is to automate and democratize virtual machine (VM) forensics so that every user and every enterprise can check malware in volatile memory with one click.
“Modern malware is complex, sophisticated, and designed with non-discoverability as a core tenet,” said Mike Walker, Microsoft’s senior director of New Security Ventures. “Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button — no setup required.”
Project Freta’s four properties of trusted sensing 1. Detect. No program can:
Detect the presence of a sensor prior to installing itself
2. Hide. No program can:
Reside in an area out of view of the sensor
3. Burn. No program can:
Detect operation of the sensor and erase or modify itself prior to acquisition
4. Sabotage. No program can:
Modify the sensor in a way that can prevent the program’s acquisition
Currently, the Freta project has supported more than 4,000 Linux kernels, and support for Windows is under development. The online analysis can be accessed here. The full documentation for Project Freta is available here.