BHO’s, Security and Shell Extensions

Today we’re going to wrap up our overview of Browser Helper Objects with a look at BHO’s and Security as well as similarities between BHO’s and Shell Extensions.  If you recall from our first post on BHO’s, a BHO is an extension to Internet Explorer that adds customization and functionality.  The API’s used by Browser Helper objects expose hooks that allow them to access the Document Object Model (DOM) of the current page and to control navigation.  This leads to malware applications that have been created as Browser Helper Objects.

For example, the Download.ject exploit installed a BHO that would activate upon detecting a secure HTTP connection to a financial institution, record the user’s keystrokes (intending to capture passwords) and transmit the information to a website used by Russian computer criminals. Other BHOs such as the MyWay Searchbar track users’ browsing patterns and pass the information they record to third parties.  Although many BHO’s install toolbars in Internet Explorer, there is no requirement that a BHO have a user interface.  Therefore it is possible that a user may not know that they have a malicious BHO installed on an unprotected machine. 

Since a BHO does not need permission to install additional components, malicious programs and spyware may be spread without the user’s knowledge.  Since writing a BHO is fairly simple, many poorly written BHO’s may harm the computer, compromise its security and may even destroy valuable data or corrupt system files.  That having been said, there are many good anti-spyware programs available that will monitor a computer for suspicious or harmful activity including BHO activity.  You can also use the Add-On manager in Internet Explorer to list which BHO’s are installed and enable or disable BHO’s as needed.

Let’s now move on to take a look at commonalities BHO’s and Shell Extensions.  Windows shell extensions are COM in-process servers that Windows Explorer loads when it is about to perform a certain action on a document – for example, displaying the context menu.  By writing a COM module that implements a few COM interfaces, it is possible to add new items to the context menu and then handle them properly.  A shell extension must also be registered in such a way that Windows Explorer can find it.  A Browser Helper Object follows the same pattern – the difference being which interfaces to implement.  Also, there is a difference in the trigger that causes a BHO to be loaded.  Despite the implementation differences, however, shell extensions and BHO’s share a common nature, as the following table demonstrates.

Feature Shell Extension Browser Helper Object
Loaded By Windows Explorer Internet Explorer (and Windows Explorer for shell version 4.71 and later)
Triggered By User’s action on a document of a certain class (that is, right-click) Opening of the browser’s window
Unloaded When A few seconds later the reference count goes to 0 The browser window that caused it to load gets closed
Implemented as COM in-process DLL COM in-process DLL
Registration requirements Usual entries for a COM server plus other entries, depending on the type of shell extension and the document type that it will apply to Usual entries for a COM server plus one entry to qualify it as a BHO
Interfaces needed Depends on the type of the shell extension IObjectWithSite

Windows Explorer for shell version 4.71 and above includes Windows 95 and Windows NT 4.0 with Internet Explorer 4.0 with the Active Desktop Shell update release.

And that will do it for our overview of BHO’s, Security and Shell Extensions.  Until next time …

Additional Resources:

CC Hameed