Free Microsoft Services Uses OS memories Snapshots to Find Rootkit And Malware


Microsoft unveiled Project Freta on Monday, a free service that lets users find rootkits and other advanced malware in snapshots of operating system memory.

Freta is the street name in Warsaw, Poland, the birthplace of renowned scientist Marie Curie. The name of the project is related to Marie Curie inventing a mobile x-ray system that could be carried into a battlefield.

Cloud-based service Project Freta currently only supports Linux systems, but Microsoft has plans to add support for Windows.

Project Freta aims to provide organizations with an agentless way of conducting automated forensic analysis on thousands of virtual machines searching for malware — from cryptocurrency miners to rootkits — through looking at a captured image of volatile memory.

The service leverages sensors designed to detect malware but without the malicious software tipping away. According to Microsoft, the technology is built so that malware can’t detect the sensor until installing itself, malware can’t hide where the sensor wouldn’t see it, malware can’t detect sensor operation and take action to remove or modify itself, and malware can’t alter the sensor to avoid detection.

Processes, global values and addresses, in-memory files, debugged processes, kernel components, networks, ARP tables, open files, open sockets, and Unix sockets are looked at.

At present, Project Freta is used as a platform where users can upload photos of their operating system for analysis. The results can be accessed either directly on the portal or via REST and Python APIs.


“As a technology demonstration, Project Freta is opening up public access to an analytics portal that can automatically fingerprint and audit a memory snapshot of most cloud-based Linux VMs; more than 4,000 kernel versions are automatically supported,” Mike Walker, senior director of Microsoft’s New Security Ventures, said in a blog post.

In addition to adding support for Windows, Microsoft plans to expand analytical capabilities and introduce AI-based decision-making to identify new threats.

“The second aspect of the Freta Project to achieve trusted sensing is a sensor designed for Azure that allows operators to move the volatile memory of live virtual machines to an offline analytical environment without interrupting execution,” Walker said. “This sensor capability, completed in the winter of 2019, is currently only available to Microsoft researchers and is not targeted at any of our commercial clouds — executive briefings and demos are available. This sensor, coupled with the Freta analytics climate, shows a path to cheap, automated forensic memory audits of large companies (10,000 + VMs).

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.