Big Bad Botnets · Chapter 4 147 SubSeven Schiller & Binkley consider that version 2.1 of the Subseven Trojan, released at around the same time as Pretty Park, was also a significant step in this anti-pilgrimage, in that a bot con- nected to an IRC server could remotely control a SubSeven server.This set the stage for all malicious botnets to come. SubSeven was a Remote Access Tool (RAT) written, like Pretty Park, in Delphi. (One day we should look at the role played in Borland compilers in the his- tory of malware, on both sides of the good/bad divide.) Despite passing itself off as a remote administration tool (some RATs in this era were treated with extreme caution by AV companies, faced with the protests of RAT authors about the detection of their "legitimate" tools), SubSeven included such "black" capabilities as password stealing and keylogging. Potentially, SubSeven gave bot operator's full control of systems on which it was installed. GT Bot The upgrading in 1999 of the shareware mIRC client had a direct impact on the bot scene. This major enhancement included a resilient scripting language with the ability to respond directly to IRC server events, as well as supporting raw TCP/UDP sockets.These features offered enormous possibilities for new applications, but also for exploitation. Global Threat (GT) bots, based on the mIRC client bolstered by an assortment of malicious scripts, started