Chapter 1 / Empty Cup Mind

Figure 1.2

Single-Stage Versus Multistage Droppers

The manner in which a rooticit is installed on a target can vary. Sometimes it's

installed as a payload that's delivered by an exploit. Within this payload will

be a special program called a dropper, which performs the actual installation

(see Figure 1.3).

Inpiii Byte Stream

Exploit

Figure 1.3

A dropper serves multiple purposes. For example, to help the rootkit make it

past gateway security scanning, the dropper can transform the rootkit (e.g.,

8 I Part I

:hl: