In early 2017 I started a personal research on Remote Access Trojans (RATs). The goal of the research is to discover possible trends, similarities and other hidden aspects among RATs observed during the last 30 years.
For this purpose I divided the research in several stages. The goal of the first stage is to create a timeline of RATs with all the existing families in the last 30 years. In order to achieve this goal, I am following an iterative methodology:
- For every RAT collect all meaningful blogs and reports about it.
- Document the resources found.
- Find the first mention of the RAT and determine a possible year of appearance.
- Check the resources for other possible RAT names.
Because there is a huge lack of formal research on this area, I decided to create small iterations of my timeline and make it public in order to receive early feedback from peers. In this way, I could get assistance, suggestions and corrections in the early stage of my research that will ensure bigger chances of success for next stages of the research.
A Study of RATs: First Timeline Iteration
The first timeline iteration was made public on Jan 22, 2017. This initial version covered 19 years and 85 RATs.
Some comments on this version of the timeline:
- At this stage of the research I was working on the belief that the total amount of RATs 'out there' was around 300 families (wrong assumption).
- I struggled to find a proper tool to create timelines that are visually nice. I put too much focus on the aesthetics.
- The amount of information, font and size did not worked well, making the information very hard to read. The usefulness of the chart was reduced considerable because of this.
- The names of RATs are not cleanly organised in columns. It can be seen that there are several RATs per row in some cases, making it hard to visually compare amounts.
In overall, the release of the timeline was a good choice. I received huge amount of feedback that let me improve the technique, content and methodology of my work.
A Study of RATs: Second Timeline Iteration
The second timeline iteration was made public on 24 Sep 2017. This version covered 29 years and 152 RATs.
In this version I was already aware that the total population of RATs goes above the 4000. For this reason, I chose to focus on 'well known' RATs. Considering this reduction of scope, the chart should represent roughly 50% of the 'well known' RATs population.
The design was also improved considerably: cleaner typefaces made it easier to read; one RAT per line gave the chart more meaning and significance; and I chose one name for every RAT, totally ignoring aliases that were polluting the chart.
For this iteration I received more concrete feedback, mostly on families of RATs that were missing. There were also discussions on the not used space between 1989 and 1998, and in whether the grey bar was appropriate or not.
I am currently working on the third iteration, which will contain +240 RATs. I would like to reach the 300 well known RATs and move on to the next phase.