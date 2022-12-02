Dropper, a type of malware, a computer threat that is very little talked about, the word in English actually means “dropper”, precisely because, like a dropper, it inserts malicious code on your PC (or on your phone) without even you realize it.

Very often these little programs hide in completely legitimate programs, and are difficult to detect even by antivirus and antimalware pretty tough, like Malwarebytes or Kaspersky, to understand.

What exactly would a dropper be?

According to Italian-language Wikipedia, the droppers is “a program designed to install malware, a virus, or open a backdoor on a system. The malware code can be contained inside the dropper (single phase) in such a way as to avoid its detection by antiviruses, or the dropper, once active, can download the malware onto the target system (double phase).”

Italian-language Wikipedia later adds: “There are two main types of droppers. Some require no user interaction, and exploit an exploit, code that takes advantage of a system vulnerability. Others require user interaction by convincing the victim that it is a benevolent program”

As we have already seen several times, it is not absolutely rare for these programs to “infiltrate” programs that seem completely legitimate.

For example, if you have a WhatsApp installed from third-party stores (from names never heard before, not safe ones), it is very probable that this “edition” of the well-known messaging program is slowly inserting who knows what threats (malware , viruses, etc.).

What exactly does this type of program do?

A droppers is a small helper program that facilitates the delivery and installation of malware; spammers and other bad actors use these little programs to bypass the signatures used by antivirus programs to block or quarantine malicious code, which is why even antiviruses often have trouble detecting them.

It is much easier to change the program, if its signature is recognized, than to rewrite the malicious code.

Droppers, like many of their counterparts (such as Trojans), can be persistent or non-persistent; non-persistent droppers install malware and then remove themselves automatically, whereas persistent ones copy themselves to a hidden file and remain there until they complete the task for which they were created.

Droppers can be spread by people who:

They accidentally open an infected email attachment;

They download who knows what from extremely dubious sites;

They click on deceptive banners that accidentally install nasty things;

They unknowingly use an infected flash memory (USB pendrive or SD card).

How do droppers hide?

Sometimes these malicious programs are even bundled with free programs or browser extensions (such as various ad blockers) for avoid detection by antivirus software; when the free program is run, this little-known computer threat will first download and install the malware to be unpacked and then install the (apparently) legitimate software.

The droppers they are not associated with any file extension, which makes them harder to detect. The software, which essentially acts like a Trojan, which is often used in attacks spear phishing.

While droppers are traditionally standalone programs, their functionality is increasingly being included as part of a malware package.

In late 2014, for example, the FBI reported that the malware used in the attacks on Sony associated with their film The Interview was packaged in a droppers executable that installed itself as a Windows service. Data collected by the 2020 Verizon DBIR shows that nearly 25% of public sector accidents involve one of these notorious “droppers”.

How to prevent?

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that users and administrators:

block emails that cannot be scanned by antivirus;

use a strategy Zero Trust;

use the “least privileged” principle [da amministratore] possible” (POLP);

Implement the network slicing to segment and segregate networks and functions (basically decentralize servers if possible).

As always, the user does 90% of the work of PC or phone security.