[zenith]

**DISCLAIMER** For all the kiddos out there, this explanation goes over what an HTTP RAT is. There are different types. But this goes over one of them.

A lot of people are confused about RATs and how they work. This is not a coding tutorial. This is a thread to explain the Remote Administrator Tool (RAT).
The main principle of the RAT is this: There's an application running on the target's computer. That application is waiting for data from a server, and you write that data using your client. Most people think writing a server is hard, but it's really not. Your client is writing data to a "webpage" hosted by a server. The app on the target's computer is constantly downloading data from this "webpage" using 

Code:

string command = Webclient.DownloadString(webpage address here);

The command received from the server is stored on the variable "command"

Then, in a while statement, the app running on the infected computer is checking for a valid command.

Or, if you want to send them a message, you can just split the command string value like so:

Code:

string[] data //You create a array of strings so you can store the string behind and after the decided sign.
command = command.TrimStart();
command = command.TrimEnd();
//Now you can check for the command:
if (command.StartsWith("show")){
data = command.Split('^'); //now data[0]=What's behind the ^ sign and data[1]=What's after the ^ sign
MessageBox.Show(data[1]);
}

So, if I give the command "show^Hello!", the infected computer will display "Hello!".

[Bish0pQ]

Interesting for people that don't know anything about RAT's and how they work. Nice thread, keep it up.

There's a redundant "[/quote]", just thought I'd mention that real quick. Thank you for sharing!

[dosj24]

awesome explanation    peace

[Mafia]

Nice explanation, however I think this is known as a HTTP RAT if it's using a web page? Also if someone decompiles your malware they can find the URL pretty easily. I am still a fan of standard RAT's which aren't reliant on a web server, also for the fact I dislike PHP. Correct me if I'm wrong. But my RAT I am working on doesn't require any web pages, only the client and the server (done in C#).

[protonrotuing]

op there will be some idiots who don't know what type of rat you're talking about please specify or write more tutorials for http rats, java rats, etx

[Aeolian]

Nice explanation, however I think this is known as a HTTP RAT if it's using a web page? Also if someone decompiles your malware they can find the URL pretty easily. I am still a fan of standard RAT's which aren't reliant on a web server, also for the fact I dislike PHP. Correct me if I'm wrong. But my RAT I am working on doesn't require any web pages, only the client and the server (done in C#).

They can, but most people are retarded.

[zenith]

Nice explanation, however I think this is known as a HTTP RAT if it's using a web page? Also if someone decompiles your malware they can find the URL pretty easily. I am still a fan of standard RAT's which aren't reliant on a web server, also for the fact I dislike PHP. Correct me if I'm wrong. But my RAT I am working on doesn't require any web pages, only the client and the server (done in C#).

They can, but most people are retarded.

Trade off to that though is that it's extremely easy to find out who made the RAT

I remember one kid spreading his RAT like wildfire. Someone wiresharked it (I think this is what I've heard) and found his ip. Called the kids ISP and got him kicked off it.

Fun day.

[CleanZombie]

Hey thanks for the interesting post, any more about this to come?

[Num5kull]

most server http addresses are found in every trojan easily apart from things like Zeus that encrypts the config. But even then a http proxy or any number of tools can fetch them. Its having hosting and good secure code that makes it work
Great post !