Threats

Toolbars are software extensions that are visible in the GUI of the host program. In the case of PUPs, the host program is usually a browser. The visible part of the toolbar can vary from one extra button added to the browsers own taskbar, to the bar over the full width at the top of the browser window.

A registry cleaner, also known as registry optimizer or registry defragmenter, is a program that claims to clean the computer’s registry in order to optimize the system’s performance. It is usually free.

Many favor downloading, installing, and running this type of program because they swear by the improved capabilities observed after the registry is cleaned. However, researchers claim that this perceived improvement can only be a form of placebo effect.

Commercial keyloggers are applications designed to harvest user interactions with a computer. These interactions include the capture of keystrokes, usernames and passwords, screenshots, collection of images and sound from the microphone/camera, printed documents, browser history, emails, chat logs, and more. Commercial keyloggers are similar to Infostealers in their ability to covertly collect user information, but differ in the fact that these programs can be obtained with a legitimate license through legal means. Commercial keyloggers are often marketed toward concerned spouses/parents who wish to monitor usage of a home PC, corporate IT/security teams maintaining DLP protocols, and auditors checking for conformity to policy.

Commercial keyloggers are often polished applications featuring huge selections of monitoring and stealth capabilities to assist users in maintaining a long-term presence. Due to the low cost and vast availability of these types of applications, commercial keyloggers have long been a preferred choice for criminals seeking a low barrier of entry for identity theft and fraud activities.

Browser Helper Objects (BHOs) are add-ons or plugins designed for Microsoft’s Internet Explorer (IE). Designed to enable COM objects to be written that will load with the browser (both IE and Windows Explorer), BHOs were a means to enhance the functionality of the browser. Their first use was to add toolbars to the browser windows.

Although these objects are usually dll files, we have also seen dat and exe files. The unrestricted access that BHOs have by design in IEs Document Object Model make them a powerful tool in the hands of attackers. In the Windows registry, the BHOs are registered by globally unique identifiers called CLSIDs under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. There the CLSIDs are sub-keys that enumerate the BHOs in use on that system.

Browser extensions are computer programs that add functionality to existing browsers. They come in as many kinds (and more) as there are browsers.

Internet Explorer distinguishes between toolbars and browser helper objects (BHOs). Other browsers like Firefox, Chrome, Opera, and Safari call them add-ons or simply extensions.

For PUPs, the economically most interesting browsers are the most popular ones, e.g. Chrome, Firefox, and Internet Explorer.

Adware, short for advertising supported software, is arguably the forerunner of the modern day PUP (Potentially Unwanted Program). Adware is typically a standalone program which displays adverts to the end-user in a variety of forms: inside the program itself, or via pop-ups, slide-in adverts, browser pop-ups, inserted adverts, or altered website content. The revenue generated by the adverts is how the program the adware is attached to is paid for, meaning the end-user receives their desired tool or service for “free.” Unfortunately, adware has a history of dubious value propositions, and what is initially offered can often turn out to be a scam or not what the end-user intended.

Advertising (ad) fraud, also called click fraud or click spam, is a practice by bad actors, specifically dubious advertising networks, wherein they deliberately use automated programs—from simple to sophisticated bots and botnets—to interact with advertisements online. They do this by simulating legitimate users into clicking ads, visiting pages, and (in some instances) creating fake form submissions.

While it is common knowledge that fraud earnings of this sort are inflated via automated means, some claim that a significant portion of ad click traffic is generated by actual people (low-wage workers). Furthermore, some form of fraud involves ads that are never seen in the wild by Internet users and ads that publishers intentionally misrepresent. Regardless of how click fraud is played, the objective of people and organizations behind them varies. The most obvious one is to generate high profit, the less obvious one is to incriminate or damage the profit of competitors.