Microsoft’s Project Freta brings cloud-based malware detection to Linux

Last week, Microsoft unveiled Project Freta, a cloud-based malware detection service (via Bleeping Computer). The project aims to detect malware that previously went undetected on Linux cloud VM images. It’s a free service from Microsoft Research that can detect OS and sensor sabotage. Microsoft Research breaks down Project Freta in a recent blog post.

Malware that’s difficult to detect is significantly more valuable than malware that’s been detected before. Microsoft explains that undetected malware won’t appear on attack reporting and can be reused several times. Once a piece of malware is detected, it becomes easier to detect in the future and is therefore less successful, and valuable, to attackers. Microsoft’s Project Freta aims to make it more costly and difficult to make malware that can go undetected.

Project Freta utilizes snapshot-based memory forensics. This means that it can sweep memory for unknown malware by comparing images of virtual machines. These techniques are already used in the tech industry, but Microsoft explains that Project Freta intends to “automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.”

Project Freta uses four properties to sense malware. Here are the properties as outlined by Microsoft:

Detect. No program can:

Detect the presence of a sensor prior to installing itself

Hide. No program can:

Reside in an area out of view of the sensor

Burn. No program can:

Detect operation of the sensor and erase or modify itself prior to acquisition

Sabotage. No program can:

Modify the sensor in a way that can prevent the program’s acquisition

Most forms of malware detection rely on sensors that look for specific threats. Project Freta reverses that approach and looks for things that are missing. It does this by creating snapshots of thousands of Linux cloud virtual machines. To start, Project Freta supports over 4,000 kernel versions.

If implemented successfully, Project Freta will force attackers to re-invent malware to go undetected, which should reduce the number of viable attack methods.

Right now, Project Freta is only available for Linux images but support for Windows is on Microsoft’s roadmap.