GoKawiilGather around, children. Put down your Rust-compiled eBPF probes, your Sigma rules, your billion-dollar EDR consoles. Sit on this pile of old floppy disks and let me tell you a story. A story of a time when a 56k modem was a weapon of mass destruction, when your entire operational infrastructure was a Windows 98 machine with a sticky residue on the keyboard, and when the most sophisticated command-and-control channel available to you was a chat room full of teenagers arguing about Linkin Park.
Ai miei tempi, we hacked with character.
The golden age of the RAT
It all started, more or less, in 1998, when a group called Cult of the Dead Cow released something called Back Orifice at DEF CON. The name was a deliberate pun on Microsoft BackOffice, juvenile, precise, and entirely on brand for a group that understood that naming things well was half the battle. It was a Remote Administration Tool that let you control a Windows 95/98 machine remotely: browse files, capture screens, log keystrokes, redirect ports. It ran silently. It required no particular expertise to deploy. And it weighed less than 100KB.
The security establishment predictably lost its mind. Microsoft called it malware. Cult of the Dead Cow called it a demonstration of Windows security failures. Both were right.
Then came Back Orifice 2000, or BO2K, presented at DEF CON in July 1999, released as open source, extensible through plugins, and capable of encrypted communications. At the time, it was more feature-rich than most legitimate remote administration tools on the market.
That same year, NetBus was already circulating. Created in 1998 by a Swedish programmer named Carl-Fredrik Neikter, it shared Back Orifice’s basic premise, silent remote control of Windows machines, but came with a GUI clean enough to feel almost respectable. NetBus became notorious partly because it was used to plant child pornography on a law professor’s computer in Sweden, a case that dragged the tool into actual criminal courts and forced everyone involved to get considerably more serious about what “remote administration” implied. The professor was acquitted. The episode was a preview of legal and ethical discussions that would take another decade to mature into anything resembling policy.
But neither Back Orifice nor NetBus was the most widely deployed RAT of that era. That distinction belongs to Sub7, or SubSeven, written in Delphi by a Romanian teenager who went by the name mobman and first released in February 1999. By 2000 it was everywhere. It had a polished GUI. It had an address book to track which victims were currently online. It had a server editor to customise the payload before deployment, borrowing the idea directly from BO2K. It even supported notification via ICQ when a victim came online, which was unusually polished for malware. The exact origin of the name “Sub7” has never been definitively confirmed by mobman, and the various explanations that circulated on forums were mostly folk etymology. What mattered was that it worked, it was free, and it was trivial to configure.
The Swiss Army knives of the basement operator
RATs were the glamorous end of the toolkit. Below them sat a layer of tools that were genuinely useful, sometimes elegant, and in many cases still in active use today—a testament to how slowly the core infrastructure of the internet has evolved.
... continue reading