Class: Adware
Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user (e.g. which types of websites s/he visits) in order to display customized advertising on the computer. Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed. Penetration There are two main ways in which Adware gets onto a user’s computer: it is built-in to some freeware and shareware programs unauthorized installation to a user’s computer as a result of a visit to an infected website. Most freeware and shareware programs stop displaying advertisements once they have been purchased and/or registered. But these programs often use built-in third-party Adware utilities, and in some cases, these utilities remain installed on the user’s computer even once the programs have been registered. Furthermore, removing the Adware component, which is still being used by a program to display advertisements, could cause the program to malfunction. The main purpose of Adware spread via the first method is to extract a type of payment for the software by showing advertisements to the user (the parties who make the advertisements pay the advertising agency, and the advertising agency pays the Adware developer). Adware also helps cut expenses for software developers (revenue from Adware encourages them to write new programs and improve existing ones), and it helps cut costs for users, too. Hacker technologies are often used when advertising components are installed on a user’s computer following a visit to an infected website. For instance, the computer can be penetrated via a browser vulnerability and Trojans designed to stealthily install (Trojan-Downloader or Trojan-Dropper) can be used. Adware programs that work in this way are often called Browser Hijackers. Displaying advertisements There are two main ways in which advertising is shown to the user: by downloading advertising text and images to a computer from web or FTP servers owned by the advertiser redirecting Internet browser search requests to advertising websites. In some cases, redirect requests takes place only if the user’s requested web page is not available i.e. if is an error in the URL. Collecting data In addition to displaying advertisements, many advertising systems also collect data about the computer and the user, such as: the computer’s IP address the operating system and browser version a list of the most frequently visited sites search queries other data that may be used to conduct subsequent advertising campaigns. Note: it is important not to confuse Adware that collects data with Trojan spyware programs. The difference is that Adware collects data with the user’s consent. If Adware does not notify the user that it is gathering information, then it is classified as a malicious program (Malware), specifically covered by the Trojan-Spy behaviour.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: AdWare.Win32.Ocna
No family descriptionExamples
991E7B81B38B3AEF3753ADFB0FF568A3Tactics and Techniques: Mitre*
TA0002
Execution
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
T1559.001
Component Object Model
Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).
TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1070.006
Timestomp
Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
T1112
Modify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
T1564.001
Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (
dir /a for Windows and ls –a for Linux and macOS). * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.