A Trojan dropper, or simply a dropper, is a malicious program designed to deliver other malware to a victim’s computer or phone.
Droppers are most frequently Trojans — programs that appear to be or include an application that is valuable to the user. A typical example is a key generator (or keygen) for a pirated copy of a commercial software suite.
How droppers work
In most cases, droppers do not perform any malicious functions. The primary purpose of a dropper is to install other malicious tools — its so-called payload — on the target device without the victim noticing. Unlike a downloader, which receives the necessary components from the attackers’ server, a dropper already contains them. Upon launch, it extracts the payload and saves it to device memory. A dropper can also launch malware installers.
What droppers can carry
A dropper’s payload usually includes more Trojans. Some droppers contain only one malicious program, but most carry several malware tools. The items are not necessarily interconnected and may serve different purposes. They may even be developed by different hacker groups. They can also contain harmless files meant to mask the installation of malware.
As a rule, droppers carry known Trojans that the target device’s security features would otherwise block. They impede malware detection at the downloading stage and neutralize system defenses before installing their payload. The neutralization mechanism depends on the target operating system type. For example, droppers for Windows typically deactivate User Account Control (UAC), which notifies users about any attempts to perform actions affecting critical system elements.
Dropper types
Droppers can be persistent or nonpersistent.
- Persistent droppers copy themselves to a hidden file and can reinstall themselves if removed;
- Nonpersistent droppers uninstall themselves from the infected device upon payload installation.