Defending against Spying with Browser Helper Objects Defending against Spying with Browser Helper...

download Defending against Spying with Browser Helper Objects Defending against Spying with Browser Helper Objects

of 12

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Defending against Spying with Browser Helper Objects Defending against Spying with Browser Helper...

  • Defending against Spying with Browser Helper Objects

    Beomsoo Park, Sungjin Hong, Jaewook Oh, Heejo Lee

    Korea University Tel: +82-2-3290-3208 Fax: +82-2-953-0771

    Technical Report KU-CCS-05-001


    A Browser Helper Object (BHO) is a small program that runs automatically every time Microsoft Internet Explorer (IE) is started, providing the possibility of extending and modifying the browser. How- ever, new security threats are appearing in the form of malicious BHOs acting as spywares or adwares, which include browser hijacking to unsavory sites, adding unwanted shortcuts to one’s favorite folder, and stealing private information from web surfers through keystroke logging. Infection by malicious BHOs can be incurred as a result of normal web surfing, without the need to be tricked into downloading and running a strange file. Moreover, these nuisances are not easy to remove from the registry settings and altered files. In order to defend against malicious BHOs, we propose a secure automatic sign-in (SAS) architecture, which enables automatic logon to a web site through the detection of a logon form. A password is initially registered for a web site with a virtual keyboard which replaces keystrokes with mouse clicks. Then, starting from the next visit, the logon procedure is under the protection of SAS before accessing the web site, which prevents sensitive information from being eavesdropped on via the web browser. This study can be one step towards the establishment of a proactive defense against spying programs, in contrast to the existing reactive anti-spyware tools which are only able to detect and remove known malicious programs at the risk of re-infection.

    Key words: Browser helper object (BHO), Internet Explorer, spywares, keylogger.

    1 Introduction

    Microsoft Internet Explorer (IE) is the most widely used web browser, with a reported global market share of 93.9% in May 2004 according to This web browser supports an extensible framework based on the concept of the Browser Helper Object (BHO) [1], which is a small program that runs automatically every time IE is started. In this framework, a BHO, which is designed with the intention of providing assistance when browsing the Internet, can intercept all events which arise, before they are handled by IE itself. Unfortunately, this feature opens the door to the development of malicious BHOs referred to as adwares or spywares [6], which manipulate the browser events or quietly gather private information.

    However, this does not mean that all BHOs are bad. For example, the Google Toolbar includes a BHO as part of its installation, which is evidently not malicious. An example of a bad BHO is Surfbar [5], which is installed without the user’s permission by exploiting a vulnerability in IE. The Surfbar BHO, also known as


  • Junkbar and Pornbar, changes the start page to, then installs hundreds of porn site shortcuts.

    BHOs are usually distributed in the form of an “Active X” control, whose installation requires admin- istrator privilege on the system. This may mislead people to believe that BHOs are not dangerous but sufficiently tractable. However, due to the fact that many users work with the administrator privilege and imprudently agree to install Active X controls, malicious BHOs can be quietly installed without their real- izing it. Since IE loads all registered BHOs without any user intervention, it is difficult to recognize which BHOs are loaded and whether bad BHOs are currently running on a system.

    Most malicious BHOs act as adwares which changes the start page of IE or insert ads on web pages [2], however, some BHOs are designed to gather private information by spying on the web browser by logging all input to the browser. In other words, a malicious BHO can capture a password, which is only displayed in the form of asterisks in the browser window, and credit card numbers copied by cut-and-paste mouse operations. Thus, BHO based spywares are more powerful than conventional “keystroke” loggers. Although the potential danger of BHOs is well known, there have been few studies of the possible countermeasures that can be used to defend against such attacks. One trivial way of accomplishing this is to disable BHOs on the browser. However, disabling BHOs implies that the user cannot make use of BHOs in any way, which is likely to cause some inconvenience. Therefore, another way of defending against malicious BHOs is needed, while allowing good BHOs to perform their useful functions.

    We propose a secure automatic sign-in (SAS) architecture as a viable countermeasure mechanism against malicious BHOs. The SAS architecture provides automatic login without typing a password for each login to a web site. Also, the password for a particular web site can be registered safely on the first login attempt by using a virtual keyboard. Therefore, spying BHOs which attempt to intercept confidential information will fail, while normal procedures are handled securely by an anti-spying BHO handler.

    2 Related Works

    Malicious BHOs are listed on the Sysinfo web site [2] where most BHOs are known as adwares or spywares. A handful of tools have been developed for listing and disabling BHOs, including BHO Demon [3]. How- ever, it is difficult for normal users to use these tools properly, since they do not have enough knowledge to decide which BHOs are malicious and which are not.

    A keylogger is a keystroke recorder, which logs all input entered from the keyboard, based on software or hardware. A hardware keylogger is usually an external attachment which is installed between the keyboard and its port, and stores every keystroke in an internal memory for later retrieval. Many commercial products are available in the form of small, inexpensive devices, such as KeyGhost. A software keylogger, on the other hand, is a small, hidden program which records keystrokes to a local or remote log file. There are many ways in which keyloggers can operate and hide themselves, including through Windows hooks [8] and registry logging [10].

    One way of preventing keylogging is to avoid entering sensitive information using a keyboard. An on- screen virtual keyboard can act as an alternative, which replaces keystrokes with mouse clicks [9]. However, a malicious BHO can capture any text entered into a web browser, even which is copied using mouse clicks. BHOs can monitor any information carried in a web browser, no matter where the information comes from. Furthermore, logging on a web browser is undetectable by previous keylogger detection mechanisms and, therefore, improved anti-keylogging solutions are needed to defend against malicious BHOs.

    There are various commercial products that are available for managing passwords and filling out forms automatically, including Softex’s OmniPass, EST Soft’s AlPass and Siber Systems’ RoboForm. These prod- ucts make it easier for the user to manage multiple passwords and provide for automatic sign-in without user intervention. However, they do not guarantee the security of the sign-in procedures, so that it is possible for


  • keyloggers to steal the sign-in information typed using the keyboard. Also, malicious BHOs can intercept the sign-in information, which is only displayed in the form of asterisks in the browser window. Thus, these solutions are incapable of defending the user against malicious BHOs.

    The Platform for Privacy Preferences (P3P), developed by the World Wide Web Consortium (W3C), is emerging as an industry standard for privacy protection. P3P-enabled web sites convert their privacy policies into a standard format based on extensible markup language (XML), and P3P-enabled browsers can read this snapshot automatically and compare it with the user’s privacy preferences. While P3P still has limitations on tiny mobile devices and complex web services, it enhances user controls over privacy policies. However, the P3P program will also be delivered in the form of a BHO and the platform itself cannot be a solution for protecting web browsers from malicious BHOs.

    3 Attacks with BHOs

    3.1 BHO Interfaces

    A user can extend or restrict the functions of IE using BHOs [1]. As a COM in-process server object, a BHO can be implemented by using COM interfaces such as IObjectWithSite and IDispatch. The two main interfaces of BHOs can be described as follows.

    � IObjectWithSite : This is an interface which is essential for BHOs to be loaded by IE. When IE loads a BHO, IE passes the pointer of an IWebBrowers2 interface by calling the SetSite method of an IObjectWithSite interface. The IWebBrowser2 interface is necessary in order to allow the BHO to receive the events incurred by IE.

    � IDispatch: When an event occurs in IE, IE calls the Invoke method of an IDispatch interface. Thus, the IDispatch interface needs to be implemented in order to handle the events occurring in IE. Among the methods included in the IDispatch interface, re-defining the Invoke method enables it to recognize all of the events occurring in IE.

    Because a BHO is a COM server object, it should be registered as a COM object in the registry. As well, it also needs to be registered in the list of BHOs, in order for it to be loaded automatically when starting IE. A BHO is registered with the CLSID 1 type in the key, as shown in Fig. 1. When an IE browser starts, all registered BHOs are loaded into the same location of the memory context of IE. Thus, the number of BHO instances is equal to the number of IE instances.

    A BHO can detect all browsing events such as forward, backward, refresh and so on through IDispatch interfaces. Also, a BHO can detect all keyboar