Classe: Adware
Adware couvre les programmes conçus pour afficher des publicités (généralement sous forme de bannières), rediriger les demandes de recherche vers des sites Web publicitaires et collecter des données marketing sur l'utilisateur (par exemple, les types de sites qu'il visite) afin d'afficher des publicités personnalisées. l'ordinateur. Outre l'affichage de publicités et la collecte de données, ces types de programmes ne permettent généralement pas de connaître leur présence dans le système: il n'y a aucun signe du programme dans la barre d'état système et aucune indication dans le menu du programme que les fichiers ont été installés. Souvent, les programmes Adware ne disposent pas de procédures de désinstallation et utilisent des technologies qui s'apparentent à la technologie antivirus pour aider le programme à pénétrer furtivement l'ordinateur et à passer inaperçu. Pénétration Adware pénètre de deux manières différentes sur l'ordinateur d'un utilisateur: il est intégré à certains programmes freeware et shareware installés sans autorisation sur l'ordinateur d'un utilisateur à la suite d'une visite sur un site Web infecté. La plupart des programmes freeware et shareware cessent d'afficher des publicités une fois qu'ils ont été achetés et / ou enregistrés. Mais ces programmes utilisent souvent des utilitaires Adware tiers intégrés et, dans certains cas, ces utilitaires restent installés sur l'ordinateur de l'utilisateur même une fois les programmes enregistrés. En outre, supprimer le composant Adware, qui est toujours utilisé par un programme pour afficher des publicités, peut provoquer un dysfonctionnement du programme. L'objectif principal de la propagation d'Adware via la première méthode est d'extraire un type de paiement pour le logiciel en diffusant des publicités à l'utilisateur (les parties qui font les publicités paient l'agence de publicité et l'agence publicitaire paie le développeur Adware). Adware contribue également à réduire les dépenses des développeurs de logiciels (les revenus générés par Adware les incitent à écrire de nouveaux programmes et à améliorer ceux qui existent déjà), tout en réduisant les coûts pour les utilisateurs. Les technologies Hacker sont souvent utilisées lorsque des composants publicitaires sont installés sur l'ordinateur d'un utilisateur à la suite d'une visite sur un site Web infecté. Par exemple, l'ordinateur peut être pénétré via une vulnérabilité de navigateur et des chevaux de Troie conçus pour s'installer furtivement (Trojan-Downloader ou Trojan-Dropper) peuvent être utilisés. Les programmes publicitaires qui fonctionnent de cette manière sont souvent appelés Pirate de navigateur. Affichage des publicités La publicité est présentée à l'utilisateur de deux manières principales: en téléchargeant du texte publicitaire et des images sur un ordinateur à partir de serveurs Web ou FTP appartenant à l'annonceur redirigeant les requêtes de recherche de navigateur Internet vers des sites publicitaires. Dans certains cas, les demandes de redirection ont lieu uniquement si la page Web demandée par l'utilisateur n'est pas disponible, c'est-à-dire s'il s'agit d'une erreur dans l'URL. Collecte de données En plus d'afficher des publicités, de nombreux systèmes publicitaires collectent également des données sur l'ordinateur et l'utilisateur, telles que: l'adresse IP de l'ordinateur le système d'exploitation et la version du navigateur une liste des sites les plus visités mener des campagnes publicitaires ultérieures. Remarque: il est important de ne pas confondre Adware qui recueille des données avec les programmes de logiciels espions Trojan. La différence est que Adware recueille des données avec le consentement de l'utilisateur. Si Adware n'indique pas à l'utilisateur qu'il collecte des informations, il est alors classé comme un programme malveillant (Malware), spécifiquement couvert par le comportement Trojan-Spy.Plus d'informations
Plateforme: Win32
Win32 est une API sur les systèmes d'exploitation Windows NT (Windows XP, Windows 7, etc.) qui prend en charge l'exécution des applications 32 bits. L'une des plateformes de programmation les plus répandues au monde.Famille: AdWare.Win32.InstallMonstr
No family descriptionExamples
7ADBBFC84066572CD27AA169F1425A96CC861DA85599C76782DACBAFC206D0BB
9A058349C07768332D47E548C4B25E35
88203E888D21C19D4A0F27C141AE2998
C61728C258C0C5D747585BEE94EF2033
Tactics and Techniques: Mitre*
TA0002
Execution
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
T1106
Native API
Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.008
Masquerade File Type
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is
0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. T1497.001
System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
T1497.003
Time Based Evasion
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
T1614.001
System Language Discovery
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.
T1622
Debugger Evasion
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
TA0007
Discovery
The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1010
Application Window Discovery
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.
T1120
Peripheral Device Discovery
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
T1497.001
System Checks
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
T1497.003
Time Based Evasion
Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.
T1622
Debugger Evasion
Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.
TA0011
Command and Control
The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.
T1571
Non-Standard Port
Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.