Class: Adware
Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user (e.g. which types of websites s/he visits) in order to display customized advertising on the computer. Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed. Penetration There are two main ways in which Adware gets onto a user’s computer: it is built-in to some freeware and shareware programs unauthorized installation to a user’s computer as a result of a visit to an infected website. Most freeware and shareware programs stop displaying advertisements once they have been purchased and/or registered. But these programs often use built-in third-party Adware utilities, and in some cases, these utilities remain installed on the user’s computer even once the programs have been registered. Furthermore, removing the Adware component, which is still being used by a program to display advertisements, could cause the program to malfunction. The main purpose of Adware spread via the first method is to extract a type of payment for the software by showing advertisements to the user (the parties who make the advertisements pay the advertising agency, and the advertising agency pays the Adware developer). Adware also helps cut expenses for software developers (revenue from Adware encourages them to write new programs and improve existing ones), and it helps cut costs for users, too. Hacker technologies are often used when advertising components are installed on a user’s computer following a visit to an infected website. For instance, the computer can be penetrated via a browser vulnerability and Trojans designed to stealthily install (Trojan-Downloader or Trojan-Dropper) can be used. Adware programs that work in this way are often called Browser Hijackers. Displaying advertisements There are two main ways in which advertising is shown to the user: by downloading advertising text and images to a computer from web or FTP servers owned by the advertiser redirecting Internet browser search requests to advertising websites. In some cases, redirect requests takes place only if the user’s requested web page is not available i.e. if is an error in the URL. Collecting data In addition to displaying advertisements, many advertising systems also collect data about the computer and the user, such as: the computer’s IP address the operating system and browser version a list of the most frequently visited sites search queries other data that may be used to conduct subsequent advertising campaigns. Note: it is important not to confuse Adware that collects data with Trojan spyware programs. The difference is that Adware collects data with the user’s consent. If Adware does not notify the user that it is gathering information, then it is classified as a malicious program (Malware), specifically covered by the Trojan-Spy behaviour.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: Listicka
No family descriptionExamples
CAA530F4A2E55F75EC0B1F0DB235B37118DE4FA319A89F85BE27F2E813EA0B7E
B098F996B285B664E754DA5AA2633804
82015FFBEA3EAB3D1BDCF594126FABAC
89EE9C095284F8C5DBCF9A98DB5F6541
Tactics and Techniques: Mitre*
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).(Citation: Fireeye Hunting COM June 2019)
Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and Visual Basic.(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a Scheduled Task/Job, fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system’s SMB/Windows Admin Shares for RPC communication.
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system’s SMB/Windows Admin Shares for RPC communication.
* © 2025 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.