Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, November 3, 2008

Browser Helper Object & BHOList 1.5.0

Source Source2
A Browser Helper Object, or BHO, is just a small program that runs
automatically every time you start your Internet browser. Usually, a
BHO is installed on your system by another software program. For
example, Go!Zilla, the downloading utility, installs a BHO created by
Radiate (formerly Aureate Media); this BHO tracks which advertisements
you see as you surf the Web.

The natural question is, what do
BHOs do? The technical answer is "anything", but generally, it will
have something to do with "helping" you browse the Internet.
Of
course, many BHOs are what is called "ad-ware" or "spyware": they do
things like monitor the websites you visit and report this data back to
their creators."

They can also routinely conflict with other
running programs, cause a variety of page faults, run time errors, and
the like, and generally impede browsing performance.

For those looking for an engrossing read, here's the authoritative MS article:

Browser Helper Objects: The Browser the Way You Want It

A
great little tool for viewing and, if required, disabling, the BHOs
that may be installed on your machine is BHODemon, which can be
downloaded here

We're maintaing a comprehensive list of all known BHO's, which can be viewed here:

http://www.spywareinfo.com/bhos/

It is updated on a weekly basis, when required, usually on Saturdays.

Listed
BHO's are tagged X for certified spyware/foistware, or other malware, L
for legitimate items, O for 'open to debate' and ? for BHOs of unknown
status.

For those interested, Merijn Bellekom, the developer
of the brilliant "Startuplist" and "Hijack This!" has created BHOList.
It downloads and displays the BHO Collection in a searchable &
sortable list.


NOTE: The Notorious LOP foistware now creates random Browser plugin identifiers as well as file names.

They'll look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll


As
the number of possible names and combinations could therefore literally
run into the billions, I will no longer be adding LOP BHOs to the list.

Be watchful when running into unknown BHOs bearing these kinds of
fancy names. If they're not on the list, and the file is located in the
Application Data directory, it's almost certainly a LOP BHO

The
same now goes for Adgoblin/InContext and WurldMedia Browser Plugins.
Here are some examples of random WM identifiers and file names:

{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll

and some semi-random ones:

{E0634852-5A3C-4E35-954C-17A0622F0BF8} - m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll

According
to research by Andrew Clover these are respectively completely and
partly random filenames and class IDs; he got a new filename/ID every
time he installed. However, the internal name of the object remains the
same ('TChk.TChkBHO'), so it will fortunately remain detectable,
although not by file name alone.

It is known that the browser helper objects are loaded each time the
browser is started up. Such objects run in the same memory context as
the browser and can perform any action on the available windows and
modules.
For example: a browser helper
object can install hooks to monitor messages and actions, etc. Some
BHOs are helpful, like the Adobe Acrobat or Google Toolbar Browser
Helper Objects
, but there could be malicious ones among them that will
harm your computer, especially those planted by viruses or spyware.
---------------------------------
BHOList is a frontend for TonyKlein's BHO Collection that downloads the
list, and displays it in a sortable, searchable list. You can also
export it to a file and load that file back instead of downloading it
from Sysinfo.org.



No comments: