A RAT in the Registry: The Case for Martus on Tails

By Benetech, posted on

On June 15, 2012, an email was sent to more than 80 unique email addresses, targeting people in the Tibetan human rights community. The subject line read: “FW: the new decision of EUROPEAN PARLIAMENT about tibetan human right in China,” and preceded a short message, which is presented here exactly as it appeared in the original email:

Here is the new decision of EUROPEAN PARLIAMENT about tibetan human right in China, and it is so usefull for us to strive for independent nation. Please forward it to tibetan.

The Word document attached with this message contained malware known as the PlugX remote access trojan (RAT). Once a user opened the attachment, the trojan went to work, installing several backdoors with extraordinary control over the target’s machine. The remote attacker then practically had unfettered access to the infected computer, with the ability to: copy, move, rename and delete files; log keystrokes; monitor network connections; lock, log off or restart the system; view and terminate all processes; view, create, modify and delete registry keys; capture screenshots; capture video from the webcam; and connect to a remote server for data harvesting.

In Internet parlance: once you open the infected .doc file, you’re completely pwned.

These attacks are not new. At Benetech’s Human Rights Program, we have long been aware that our partners are targets of surveillance, information theft and compromise. The Citizen Lab—an interdisciplinary laboratory at the University of Toronto that is at the forefront of research of targeted malware attacks—has been documenting and analyzing incidents targeting communities in Syria, China, Ethiopia and a myriad of other countries.

When we first released Martus in 2003, we designed it to address some very specific problems: office raids and robberies that could expose sensitive human rights-related data to an attacker, putting individuals at physical risk; the lack of preservation capabilities for important human rights data; and ease for an attacker to intercept the unencrypted information during transfer.

Since then, in part as a result of the adoption of technology, the landscape for human rights organizations has changed. Human rights groups face increasingly sophisticated attackers with the ability to exploit their growing digital surface. We believe Martus remains sufficient armor for the attacks it was designed to protect against, yet it is clear that rights groups today may need to do more to protect their valuable information.

For example, when a group documenting human rights abuses against the Tibetan community came to us last year with interest in Martus, they brought with them a deep mistrust of their own hard drives. Together we decided to use an implementation method that emphasized security at all stages and selected Tails (The Amnesic Incognito Live System) to be the default environment for their use of Martus.

What is Tails and why does it allow for secure implementation of Martus using just about any computer, even in the face of targeted malware attacks?

Tails is a locked-down portable operating system designed to couple extreme privacy protections with ease-of-use. It is a Debian Linux-based operating system that you can start on a computer from a DVD, USB stick or SD card independently of the computer’s original operating system, thus bypassing the (potentially infected) internal hard drive. Tails’ file system is read-only, so the files it relies upon cannot be altered; it routes all network traffic through the Tor network; it removes all traces of itself on shutdown; and deletes anything saved outside of an encrypted directory. It’s also open source and free software—two absolutely necessary characteristics in security software.

Tails’ file system and network protections provide accessible and comprehensive digital defense for individuals and groups who face a dedicated, resourceful attacker.

After some tinkering and lots of planning, last November I traveled to Dharamshala to train the Tibetan group on Tails and Martus. After three long days and plenty of delicious momos, the group was using several working Tails USBs for documentation of human rights violations in Martus.

As far as we know, this is the first group to use the Martus-on-Tails model, but it is likely not the last. As firms like Gamma and Hacking Team continue to sell sophisticated, easy to use point-and-click surveillance software to national law enforcement agencies, attackers no longer need to have a high technical capacity to infiltrate your computer. These days, targeted malware is accessible to anyone who can pay for it.

The Martus-on-Tails model is an exciting new venture into human rights defenders’ protection. We look forward to exploring other models and developing this one into a more mature standard.

To learn more about the Citizen Lab’s research on malware targeting human rights groups, visit https://citizenlab.org/.

We recommend you read Tails’ valuable list of warnings before adopting it. This list is available at https://tails.boum.org/doc/about/warning/.


Correction: A previous version of this blog post misidentified Blue Coat as a vendor of point-and-click surveillance software. Blue Coat sells hardware used to monitor, filter, and censor the internet, not software used for endpoint compromise. For more information on Blue Coat and contexts in which its hardware has been used, see Reporters Without Borders’ profile.