In July 2020, Microsoft launched a free forensics and malware detection service by the name “Project Freta”, which seems an invaluable development towards exposing hidden, undetectable security threats. It is another step taken towards dynamic development for preventing cyber attacks due to undetectable strains of malicious software like rootkits, cryptominers, and other malware. It aims to provide an unique offering, which is surprisingly unavailable in any public cloud platform, helping undiscover hidden malware in cloud virtual machines.
If Microsoft’s Project Freta is really capable of hunting advanced, undetectable intruders and rootkits, it can be super beneficial to businesses. Imagine a large organization running hundreds if not thousands of virtual machines in the cloud, and they all are infected with a crypto-mining malware. The malware will run mining operations sourcing cloud resources on the expense of the organization. The organization may get charged anywhere between thousands to tens of thousands of dollars per month due to the malware. Now imagine Project Freta coming into this picture with its handy features: it detects the hidden malware and saves tens of thousands of dollars in expenditure of the organization.
What is Project Freta?
Project Freta, a futuristic virtual-machine forensics service, is a free cloud-based service for finding undetectable malware residing on cloud infrastructure. Unlike its commercial sister product, Microsoft Defender Advanced Threat Protection (ATP), Project Freta is a demonstration-only project from the New Security Ventures (NSV) team at Microsoft Research — at least for now.
According to its launch announcement by Microsoft Research, “Project Freta is a roadmap toward trusted sensing for the cloud that can allow enterprises to engage in regular, complete discovery sweeps for undetected malware. Just as yesteryear’s film cameras and today’s smartphones have similar megapixels but vastly different ease of use and availability, Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button—no setup required.”
Key Benefits of Project Freta
Mike Walker, Senior Director at Microsoft Research, compared Project Freta to the sunlight. The field of computer security is understood as a field of barriers and walls; for example, firewalls protect digital systems from outside threats. But when cybercriminals build malware that stay undetected, they can reuse them in numerous cyberattacks, powering the economics of reuse. On the other hand, if the malware is detected, its value plummets to the ground. With that being said, Project Freta had been compared to sunlight: as sunlight removes darkness and disinfects everything, Project Freta sheds light on undetectable malware.
Project Freta aims to increase the cost of developing undetectable malware to its potential maximum limit. With Project Freta, Microsoft plans to provide a secure cloud platform that guarantees detecting all malware — no matter how complex or costly is the malware. Then, cybercriminals creating and spreading stealthy malware will be forced into an expensive development cycle of reinventing the malware everytime it gets detected, making it unviable for them to host their malware on such a cloud platform — Microsoft Azure. With that said, Project Freta is developed to support more than 4,000 Linux kernels in the prototype release, thus providing an exciting security option to the cloud consumers.
Before discussing its key benefits, let’s understand an example: Abraham Wald proposed during World War II that armor must be solidified in areas of zero bullet holes instead of areas showing bullet holes. The reason being the dataset had survivor bias: bullet holes were only counted in airplanes coming home. So potentially, the bullets hitting at no-bullet-hole areas damaged the airplanes and they did not come back home. Similarly, computer security systems suffer from a similar survivor bias. When cybercriminals analyze our security systems and design malware to evade them, they potentially get successful at attacking our systems, and we do not detect these cyberattacks ever, unfortunately.
That is why Project Freta was built from the ground up with survivor bias. It employs features to control four properties of trusted sensing: detect, hide, burn, and sabotage used by malicious programs. It helps to maximize the benefits of Project Freta, making systems immune to undetectable malware attacks since no malicious program can detect the presence of the security sensor before its installation, hide from the sight of the sensor, burn itself, or become undiscoverable, unlike the classical security systems. Project Freta aims to tackle these four properties of undetectable malware, and so, it guarantees spotting and stopping even the stealthiest of malware on cloud platforms.
Project Freta is freely available through a portal that allows users to upload their virtual machine images for analysis. You need to perform a simple authentication with a Microsoft Account (MSA) or an Azure Active Directory (AAD) account to get started. After a snapshot is uploaded, Project Freta analyzes the image and shows results directly on the portal itself. The report is summarised and consists of image information, debugged processes, kernel modules, kernel interrupted tables, potential malicious software present in the image, and unix sockets.