The value of traditional malware is predicated on the mass infection of victim devices. Botnets engaging in spamming, click fraud, and the like directly derive monetary value from each new infection. While costly in aggregate, each individual victim’s loss is attenuated by an attacker’s ability to extract value from such victims at scale. Remote access trojans (RATs) are conversely predicated on the unique value of each individual infection. While most traditional malware infections are automated or controlled at scale, RATs require hands-on operator interaction with each compromised host in exchange for flexible and near-comprehensive control over the victim. The use of off-the-shelf RATs like DarkComet to perpetrate sextortion and cyber-stalking, voyeurism, and, in rare cases, targeted state actor attacks, has received considerable attention in the media and from security vendors. Despite this, RAT usage and impact have not been investigated at scale in the same manner as traditional botnet malware.
Understanding the scale and nature of the criminal usage of RAT malware is critical to devising effective deterrents and mitigating the harm inflicted on its victims; however, measuring the RAT ecosystem presents challenges not inherent to measuring other types of malware infection. The victims of RAT infections are difficult to identify; as a rule, they do not typically participate in large-scale, noisy behaviors like denial-of-service, spamming, or click fraud. Likewise, RAT backdoors are often targeted rather than broadly distributed, making their command-and-control servers harder to discover. And finally, understanding the motivations of RAT operators is comparatively onerous. Whereas most malware either has a specific purpose (e.g., ransomware), or issues commands to an entire botnet at once (e.g., denial-of-service), RAT infections are individually, manually controlled. In this thesis, I address these challenges while investigating the ecosystems of two popular, commodity-grade RATs, hitherto unexplored at scale. Modifying well-established security techniques like honeypotting, Internet-wide scanning, and domain sinkholing, I develop and deploy tools for measuring and understanding the participants in these ecosystems - the attackers, their motivations, the infrastructure they use, and their victims.