Class: Adware
Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user (e.g. which types of websites s/he visits) in order to display customized advertising on the computer. Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed. Penetration There are two main ways in which Adware gets onto a user’s computer: it is built-in to some freeware and shareware programs unauthorized installation to a user’s computer as a result of a visit to an infected website. Most freeware and shareware programs stop displaying advertisements once they have been purchased and/or registered. But these programs often use built-in third-party Adware utilities, and in some cases, these utilities remain installed on the user’s computer even once the programs have been registered. Furthermore, removing the Adware component, which is still being used by a program to display advertisements, could cause the program to malfunction. The main purpose of Adware spread via the first method is to extract a type of payment for the software by showing advertisements to the user (the parties who make the advertisements pay the advertising agency, and the advertising agency pays the Adware developer). Adware also helps cut expenses for software developers (revenue from Adware encourages them to write new programs and improve existing ones), and it helps cut costs for users, too. Hacker technologies are often used when advertising components are installed on a user’s computer following a visit to an infected website. For instance, the computer can be penetrated via a browser vulnerability and Trojans designed to stealthily install (Trojan-Downloader or Trojan-Dropper) can be used. Adware programs that work in this way are often called Browser Hijackers. Displaying advertisements There are two main ways in which advertising is shown to the user: by downloading advertising text and images to a computer from web or FTP servers owned by the advertiser redirecting Internet browser search requests to advertising websites. In some cases, redirect requests takes place only if the user’s requested web page is not available i.e. if is an error in the URL. Collecting data In addition to displaying advertisements, many advertising systems also collect data about the computer and the user, such as: the computer’s IP address the operating system and browser version a list of the most frequently visited sites search queries other data that may be used to conduct subsequent advertising campaigns. Note: it is important not to confuse Adware that collects data with Trojan spyware programs. The difference is that Adware collects data with the user’s consent. If Adware does not notify the user that it is gathering information, then it is classified as a malicious program (Malware), specifically covered by the Trojan-Spy behaviour.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: Amonetize
No family descriptionExamples
25DB2F07639D17906669967D4429CA1F38B23E10CBFCF45D4D51BEEF390D8204
1236BFB7FE766E911C386495305926B5
BCE939E157E85221A6A43271DE7981F2
6A905D7AE204E1AD9A6A69B9857640F3
Tactics and Techniques: Mitre*
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
* © 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.