Dropper (malware)

A dropper^[1][2] is a Trojan horse that has been designed to install malware (such as viruses and backdoors) onto a computer. The malware within the dropper can be packaged to evade detection by antivirus software. Alternatively, the dropper may download malware to the target computer once activated.

Droppers can be categorized into two types: persistent and non-persistent. Persistent droppers conceal themselves on the device and alter system registry keys. Concealment allows them to reinstall the malware during a reboot, even if previously removed. Non-persistent droppers are considered less dangerous as they remove themselves from the system after executing their payload. Thus, once the malware is removed, it cannot reinstall itself.^[3]

Trojan horses operate by masquerading as legitimate programs, requiring user interaction to execute. They unpack and load malicious code into the computer's memory, then install malicious software (malware).^[4]

Precautions can be taken to prevent infection from malware droppers. For example, not opening links from unknown sources and only downloading software from known verified distributors, such as the Microsoft Store or the Apple App Store. Also, a firewall can block traffic from unverified sources.^[3] Droppers can also target mobile devices. For instance, a user might download an application via a text message link, which leads to the device being infected with malware. An example of a Trojan dropper created for mobile devices is the Sharkbot dropper.^[5][6] It facilitates unauthorized financial transactions by exploiting the Automatic Transfer Service (ATS), allowing attackers to siphon funds from mobile banking applications. This type of malware typically enters devices through sideloading, bypassing official app stores.^[6]

Droppers and Antivirus Evasion

The main goal of droppers is to evade malware detection by antivirus systems within victim machines. This is done by changing the surface representation of the malware payload as the raw bytes of the deployed dropper, which contains a method to invoke the real malware payload, are quite different from the raw bytes of the malware payload itself. There are two main types of antivirus detectors: feature-based models and byte-based models.

Feature-based models are traditional machine learning classification models such as LightGBM, Random Forest, or XGBoost which base their predictions off the results of a feature extractor which extracts various features from a sample. Some examples of these features are PE Section headers, section names, imported libraries, strings, sizes, and more. A common technique of evading malware is adding random code that is never executed or adding random bytes at the end of the sample. This is to create noise with the goal of making the model misclassify a sample as benign when it is really malicious. Feature-based models are typically robust to these types of manipulations due to their rich feature extracting.

Byte-based models classify based on the raw bytes of the malware payload and do not require the need of a feature extractor. These byte-based models are typically Large Neural Networks. More specifically, the raw bytes are converted into embeddings which are then passed into different layers of a neural network. The major advantage that byte based models possess is the ability to learn from patterns missed out from the feature extractors and have less reliance on manual feature engineering. A major drawback of byte based models is that they may overfit to superficial cues. For example, if much of the packed samples in the training dataset are packed using the UPX Packer, then the model may start to associate packing with UPX and packing with malware, resulting in a false association between UPX and malware.

Droppers are excellent in evading antivirus models due to the fact that the malware payload is usually compressed or encrypted. Some examples of droppers are File-Based dropper, Network-Based dropper, Script Based dropper, Downloader dropper, or Packed dropper. Since they fully change the surface representations of the malware sample, they can be very effective.

See also

• Drive-by download