Tip to Restrain Browser Helper Objects (IE hijacking)
1. Introduction
In these glorious days, most users have to face spyware from time to time. Most of them are stealthily introduced in the computer, by exploitation of an Internet Explorer flaw, resulting in the installation of a browser helper object (BHO). A browser helper object is a way to personalize Internet Explorer in order to give the user some functionalities that are not included by default. It is easier than rewriting a browser from scratch.
2. How a BHO Works
In its most simple form, a BHO is a COM server (in-process) registered under a key of the registry. When IE starts, there is a check of the registry key and ALL object which have an identifier (CLSID) written under this registry key are loaded. The browser then initializes the object. As those objects are loaded into the Internet Explorer context, they can operate as native components. The component basically does what it wants
without any control from the parent process (IE). BHOs are able to detect user interaction with the browser.
A BHO is loaded, the main window of the browser is ready to be shown and unloaded when the window is closed. If a user has several instances, or windows, of Internet Explorer running, each instance will load the BHO in his memory context. We can see here the impact of spyware on the computer resources if several instances are executed at the same time. A BHO is systematically loaded whenever the command including parameters given to load IE.
A Technical Note: The implementation of a BHO needs the IObjectWithSite interface.
3.Installation of a BHO
The most commonly used way, and the most persistant one, is to install a BHO without need of the user approval going through the exploitation of the security zones of IE. IE classifies web sites content under several zones: Internet, Local Intranet, Trusted Sites and Restricted Sites. Each zone has different permissions in regard
of code execution. In theory, this looks very effective; in reality, the result was a wide range of exploits, cross-zone scripting exploits, where the general idea is to convince the browser that a particuliar page, or even a part of a page, belongs to a more permissive zone than the original one, using several
tricks in HTML, Javascript, VBScript, etc.
With Internet Explorer, this problem becomes critical when you know that a fifth zone, invisible to the user, is defined: the 'local machine' zone, which virtually give full access to the computer. By executing some code in this local zone, you can execute whatever you want. The SP2 with Windows XP have restrained several tricks that gave access to this local zone, but there is still some flaws that can give access to this zone.
Another way used to install a spyware on a computer is to hide it in another program installation. With this, the spyware pretends to be some legal and honest application and the user is fooled on what application he installs: wish cards, p2p, small games). In that case, even the best security can't avoid the installation of the spyware as it's the user that will install the spyware on his computer. Legally, in regards to computer security, the permission was given by the owner even if he's not aware of what is going on.
4. Restraining Installations of BHOs:
BHOs can be legal applications and sometimes even useful. Some totally screwy Browser Helper Object would seriously diminish the functionality of IE. For exemple, Adobe Reader will use a BHO to automaticaly open Adobe Reader when you click on a PDF link, but most of the time, those needed BHOs are only installed from time to time, and once you have setup your computer, you'll probably not install some of those to often. It would be possible at this stage to avoid the ability of some BHOs by modifying the properties of the registry key that lists the objects to be loaded, such as setting it as a read-only key for all computer users. Sadly not all; some of them actually seriously change the overall security settings.
The BHOs are localised in the registry, under the following key:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects]
At this stage, a BHO that would only attempt to register itself would not succeed. So the malicious process that was running in the memory, being not able to restart itsself, would disappear at next reboot of the computer. Another trouble is that you'll have to change the settings of this key back and forth if you want to install a new BHO for your browser. But think about the number of times you would like to install such objects and how many times you may be hit by a spyware.
FoolFox
Further Reading
Browser Helper Objects: The Browser the Way You Want It
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code
http://www.ciac.org/ciac/techbull/CIACTech02-002.shtml |
Copyright Open Source Institute, 2006 
