TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Browser Helper Objects (BHO) are Microsoft's way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user's web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. |
| PLATFORM: | Internet Explorer 4 and later and Windows Explorer on Windows Platforms. |
| ABSTRACT: | Browser Helper Objects (BHO) are executable
applications that attach to Internet Explorer 4 and later and
have access to all of Internet Explorer's objects and events.
Legitimate uses include the Adobe Acrobat add-in that displays
Acrobat documents within your web browser window. Problems can
occur when applications install spyware to your browser to track
where you go on the net and send that information back to a marketing server
somewhere. Malicious code could be designed to attach to a web
browser and send copies of user accounts, passwords, personal data and other
sensitive information back
to a remote server.
The difficulty with BHOs is that there is no way within Internet Explorer to see what BHOs are attached or to control the attachment of new BHOs. In this paper, we describe some software that lists currently attached BHOs and allows you to disable them. We also include a way for increasing the security on the Registry key where links to the installed BHOs are stored. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml |
| OTHER LINKS: |
Description of BHOs: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q179230 http://msdn.microsoft.com/library/en-us/dnbrowse/html/bho.asp CNET News article about BHOs and spyware: Download site for BHO Cop |
Browser Helper Objects (BHO) are executable applications that attach to Internet Explorer 4 and later and have access to all of Internet Explorer’s objects and events. They can manipulate what you see on the screen, have access to every place that you visit with your webserver, and have access to all information you sent to a website including usernames, passwords, and other personal and sensitive information. They also have access to the Internet and can send information to a listening server.
Legitimate uses of BHOs include the well known Adobe Acrobat add-in that allows you to read an Acrobat document within a web browser. They also include virus scanners to check incoming web pages and documents for malicious code. While you do not want to prevent the legitimate uses of BHOs the potential for misuse is high.
A current example of such misuse is the installation of a spyware add-in along with the installation of the current version of Morpheous file sharing code (see CNET-News.com http://news.com.com/2100-1023-864086.html). Whenever you visit a website, the spyware module sends the location of the site you are visiting to a server belonging to a marketing company. This module could just as easily be sending other personal information to that company.
BHOs are .DLL libraries that are installed by registering their location in the registry. The currently installed BHOs are registered as subkeys of the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects\
The subkeys are named with the CLSID of the BHO. A CLSID is a number that uniquely identifies a particular executable. For example, the following CLSID for Adobe Acrobat Reader 5 is,
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
The main difficulty with this process is that there is no easy way built into Internet Explorer to know what BHOs are attached or to prevent them from being installed.
One way to see what BHOs are attached to your system is to run regedit and look at the key shown above. If the Browser Helper Objects key exists and has subkeys, those subkeys are attached BHOs.
Unfortunately, the CLSIDs don’t tell you what this add-in does. To see what it is, search for the CLSID in HKEY_CLASSES_ROOT\CLSID. Values in that key will tell you which .DLL file is attached and what its name is.
An easier way is to download and install the freeware program BHO Cop, available from CNET Downloads. When you run BHO Cop, it lists all the BHOs registered on your system.
From the information given, you can easily see that this is part of Adobe Acrobat and is not likely to be a problem. If you want to disable a BHO, simply uncheck the check box. BHO Cop does not delete the files, but simply removes the CLSID key from the Browser Helper Objects key. If you recheck the BHO, it puts the key back. It saves the current configuration in its .INI file and in a .REG file to make it easy to restore your system in the event that removing the BHO causes a problem and BHO Cop cannot fix it.
Note that some “free” applications that display advertising will not work if the BHOs that display the advertising are removed.
BHO Cop also removes new and reregistered BHOs at system startup. New BHOs can be installed at any time and some spyware programs have a second component that checks at startup and reinstalls the BHO if it has been removed. As BHO Cop is run from the startup directory, it is one of the last things to run at startup. It checks the list of BHOs in the registry key with the ones you selected to run the last time you ran BHO Cop, disables any others it finds, and quits. If you want to keep any newly installed BHOs you need only run BHO Cop and check those you want to keep. You can disable this behavior by simply removing the BHO Cop link from the startup directory.
A second option is to change the permissions on the Browser Helper Objects key to remove write access by anyone, including the Administrator. This can only be done on Windows NT, 2000, or XP. Run the regedit32 application, select the key, and choose the Security, Permissions command. See who has write access (should be only Administrator) and change it to read only. If you are installing software that includes a BHO, you must change the permissions on the Administrator's key to read/write, do the installation, and then change the permissions back to read only.
Note: Editing the registry is not for the faint at heart. Making a mistake here can make your system unbootable so be careful what changes you make.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)