Saturday, March 25, 2006

what is a dropper?

a dropper is a program that carries an (often hidden) instance of some already known malware within itself and drops (extracts and runs) the malware it carries when it itself gets executed...

droppers are a means of getting malicious content past gateway security checking practices such as scanning downloads and email... they're generally easy to create by performing some arbitrary transformation (like run-time compression or encryption or some other type of encoding) on the malware it carries (which is then reversed when the malware gets dropped) but not necessarily easy for a scanner to see through programmatically unless it has prior knowledge of the transformation algorithm... in it's transformed state the malware may not be recognizable to the security applications that checked the dropper as it entered the machine and if that happens then the malware may go undetected when it gets dropped unless additional measures such as real-time monitoring or sandboxing are used...

the dropper represents a kind of (usually) temporary camoflage and as such is a distant relative of the more conventional stealth techniques... because they secretly introduce malware into a system they are also a type of trojan horse program in their own right...

back to index

0 comments: