Microsoft has just launched a Free online service Project Freta aimed to discover forensic evidence on Linux systems. With this service you will be able to dig up hard-to-find rootkits and malware.
The project is named after the Birthplace of Marie Curie, the pioneer of X-ray imaging which was first introduced during the World war 1.
Microsoft has taken this initiative in order to enable small and large enterprises find hidden malware and kernel rootkits with just a click of the button. All you need to do is upload your Linux VM snapshot file to the project portal and it will give you automatic results. There is ‘zero’ setup required for it. The project support over 4000 kernel versions.
The online analysis portal is available for public use on this address: https://freta.azurewebsites.net/
The portal currently supports a number of types of memory snapshots as inputs.
You can:
- Utilize the Hyper-V checkpoint feature to generate a VMRS file
- Covert an VMware snapshot to generate a CORE file
- Extract memory from a running system by leveraging AVML
- Extract memory from a running system using LiME
Once you have uploaded the snapshot to the portal for analysis, it will generate a report almost instantly. The report is accessible via the portal and also the REST and Python APIs.
The report enumerates the following types of objects from the snapshot images:
- Debug processes
- Global addresses and values
- Kernel modules
- Files residing inside the memory
- Kernel interrupt table
- Network configurations
- Open files
- Kernel syscall table
- Processes
- Open sockets
- Unix sockets
This free service will surely pave a way for open source advanced malware detection systems. Small companies can benefit a lot from this new service considering the present cost of acquiring skills and traditional paid software services.