Sub7 / Backdoor-G RAT

Man looks at computer
Leren Lu/Stone/Getty Images

What Is a RAT?:

RAT is an acronym for Remote Access Trojan. A RAT might have a functional use, but it is typically used to describe malicious code that is installed without the user's knowledge with the intent of monitoring the computer, logging keystrokes, capturing passwords and otherwise assuming control of the computer from a remote location.

Sub7 and Security Software:

As one of the oldest, most widely used and versatile RAT's available, Sub7 (and Backdoor-G) are detected and blocked by virtually every security software including antivirus and IDS (Intrusion Detection System) among others.

To experiment with this program you will need to disable security software. I do not recommend you do this on a computer connected to the live Internet. Testing and experimenting with this product should be done on a computer or network separate from the Internet.


What It Does:

I wrote a brief overview of Sub7 a while back which still gets a significant amount of traffic to this day. You can refer to that article for more details, but essentially there isn't much that Sub7 can't do. It can do just about anything from annoying stuff like making the mouse pointer disappear to malicious stuff like erasing data and stealing passwords. Below are some highlights of the key functions.

Audio / Video Eavesdropping:

Sub7 can be used by an attacker to enable the microphone and / or webcam connected to a computer. As you are sitting at your computer surfing the web or playing a game the attacker may be able to watch or listen to everything you do.

Keystroke Logging and Password Capture:

Sub7 can record every keystroke made on the computer. By analyzing the logged keystrokes an attacker can read anything you may have typed in an email or document or online. They can also find out your usernames and passwords and even the answers you give for the security questions such as "what is your mother's maiden name" if you happen to answer such questions while the keystrokes are being recorded.

Gremlins In The Machine:

Sub7 is full of annoying things an attacker can use just for the sadistic pleasure in it. They can disable the mouse or keyboard or change the display settings. They can turn off the monitor or disable the Internet connection. In reality, with full control and access to the system there is almost nothing they can't do, but these are some examples of the options pre-programmed to choose from.

Resistance Is Futile:

A machine that has been compromised with Sub7 can be used as a "robot" and can be used by an attacker to disseminate spam or launch an attack against other machines. It is possible for malicious hackers to scan the Internet in search of machines that have been compromised with Sub7 by looking for certain, standard ports to be open. All of these machines create an assimilated network of drones from which hackers can launch attacks anoymously.

Where To Get It:

The original site is no longer live, but Sub7 lives on with new and improved versions being released fairly regularly. For a complete history of the available versions or to download the software you can visit

How To Use It:

I do not in any way advocate using a product such as this in a malicious or illegal way. I do however advocate for security experts and administrators to download it and use it on a separate subnet or network to be familiar with the capabilities and learn how to recognize if such a product were being used against computers on your own network.