__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code April 2, 2002 00:00 GMT Number CIACTech02-002 ______________________________________________________________________________ PROBLEM: Browser Helper Objects (BHO) are Microsoft’s way of attaching add-ins to Internet Explorer 4 and later. In addition to legitimate uses, BHOs are used to attach spyware to a user’s web browser to secretly send a user's browsing habits to a marketing site and could be used for malicious code. The problems are that there is no simple way to know what BHOs are attached to a system and no simple way to control the attachment of new ones. PLATFORM: Internet Explorer 4 and later and Windows Explorer on Windows Platforms. ABSTRACT: Browser Helper Objects (BHO) are executable applications that attach to Internet Explorer 4 and later and have access to all of Internet Explorer’s objects and events. Legitimate uses include the Adobe Acrobat add-in that displays Acrobat documents within your web browser window. Problems can occur when applications install spyware to your browser to track where you go on the net and send that information back to a server somewhere. Malicious code could be designed to attach to a web browser and send copies of user accounts, passwords, personal data and other sensitive information back to a remote server. The difficulty with BHOs is that there is no way within Internet Explorer to see what BHOs are attached or to control the attachment of new BHOs. In this paper, we describe some software that lists currently attached BHOs and allows you to disable them.We also include a way for increasing the security on the Registrykey where links to the installed BHOs are stored. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml OTHER LINKS: Description of BHOs: http://support.microsoft.com/default.aspx?scid=kb;EN-US; q179230 http://msdn.microsoft.com/library/en-us/dnbrowse/html/ bho.asp CNET News article about BHOs and spyware: http://news.com.com/2100-1023-864086.html Download site for BHO Cop http://download.cnet.com/downloads/0-3364664-100- 5930345.html ______________________________________________________________________________ Browser Helper Objects (BHO) are executable applications that attach to Internet Explorer 4 and later and have access to all of Internet Explorer’s objects and events. They can manipulate what you see on the screen, have access to every place that you visit with your webserver, and have access to all information you sent to a website including usernames, passwords, and other personal and sensitive information. They also have access to the Internet and can send information to a listening server. Legitimate uses of BHOs include the well known Adobe Acrobat add-in that allows you to read an Acrobat document within a web browser. They also include virus scanners to check incoming web pages and documents for malicious code. While you do not want to prevent the legitimate uses of BHOs the potential for misuse is high. A current example of such misuse is the installation of a spyware add-in along with the installation of the current version of Morpheous file sharing code (see CNET-News.com http://news.com.com/2100-1023-864086.html). Whenever you visit a website, the spyware module sends the location of the site you are visiting to a server belonging to a marketing company. This module could just as easily be sending other personal information to that company. BHOs are .DLL libraries that are installed by registering their location in the registry. The currently installed BHOs are registered as subkeys of the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Browser Helper Objects\ The subkeys are named with the CLSID of the BHO. A CLSID is a number that uniquely identifies a particular executable. For example, the following CLSID for Adobe Acrobat Reader 5 is, {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} The main difficulty with this process is that there is no easy way built into Internet Explorer to know what BHOs are attached or to prevent them from being installed. Detecting and Disabling Attached BHOs ===================================== One way to see what BHOs are attached to your system is to run regedit and look at the registry key shown above. If the Browser Helper Objects key exists and has subkeys, those subkeys are attached BHOs. Unfortunately, the CLSIDs don’t tell you what this add-in does. To see what it is, search for the CLSID in HKEY_CLASSES_ROOT\CLSID. Values in that key will tell you which .DLL file is attached and what its name is. An easier way is to download and install the freeware program BHO Cop, available from CNET Downloads. When you run BHO Cop, it lists all the BHOs registered on your system. From the information given, you can easily see that this is part of Adobe Acrobat and is not likely to be a problem. If you want to disable a BHO, simply uncheck the check box. BHO Cop does not delete the files, but simply removes the CLSID key from the Browser Helper Objects key. If you recheck the BHO, it puts the key back. It saves the current configuration in its .INI file and in a .REG file to make it easy to restore your system in the event that removing the BHO causes a problem and BHO Cop cannot fix it. Note that some "free" applications that display advertising will not work if the BHOs that display the advertising are removed. Preventing New BHOs From Being Installed ======================================== BHO Cop also removes new and reregistered BHOs at system startup. New BHOs can be installed at any time and some spyware programs have a second component that checks at startup and reinstalls the BHO if it has been removed. As BHO Cop is run from the startup directory, it is one of the last things to run at startup. It checks the list of BHOs in the registry key with the ones you selected to run the last time you ran BHO Cop, disables any others it finds, and quits. If you want to keep any newly installed BHOs you need only run BHO Cop and check those you want to keep. You can disable this behavior by simply removing the BHO Cop link from the startup directory. A second option is to change the permissions on the Browser Helper Objects key to remove write access by anyone, including the Administrator. This can only be done on Windows NT, 2000, or XP. Run the regedit32 application, select the key, and choose the Security, Permissions command. See who has write access (should be only Administrator) and change it to read only. If you are installing software that includes a BHO, you must change the permissions on the Administrator's key to read/write, do the installation, and then change the permissions back to read only. Note: Editing the registry is not for the faint at heart. Making a mistake here can make your system unbootable so be careful what changes you make. ______________________________________________________________________________ Thanks to Patrick Philippot for writing BHO Cop and PC Magazine for making it available. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-054: OpenSSH Contains Remote Exploitable Vulnerability M-055: Microsoft Unchecked Buffer in Windows Shell M-056: Red Hat "uuxqt" Vulnerability M-057: Red Hat "at" Vulnerability M-058: Apache Vulnerabilities on IRIX M-059: Red Hat "groff" Vulnerability M-060: JRE Bytecode Verifier Vulnerability M-061: HP VVOS Web proxy Vulnerability M-062: Double Free Bug in zlib Compression Library M-063: Microsoft Internet Explorer Vulnerabilities