Finding Spyware in Browser Helper Objects
One of the most difficult locations in which spyware can hide is the IE Browser
Helper Object. Browser Helper Objects are designed to provide add-on features
and functionality to IE to improve a user's browsing experience. For example,
many popular IE toolbars are Browser Helper Objects. However, Browser Helper
Objects' level of access to users' browsing data (e.g., URLs entered, form data
provided) is significant. When you combine that with the fact that Browser Helper
Objects are harder to find and remove than simple startup applications, you
can understand why Browser Helper Objects are a popular mechanism for spyware
and malware authors for installing their software.
You can use two techniques to find Browser Helper Objects configured on your
system. If you use XP with Service Pack 2 (SP2), you can use the Add-On Manager
(in IE, select Tools, Manage Add-ons) to view all Browser Helper Objects currently
loaded in IE and disable any of them. Figure
3 shows the IE Manage Addons dialog box. By selecting an add-on from the
list and disabling it, you can effectively remove the capabilities of any application
that has integrated itself into the browser.
If you don't run XP SP2, the process is a bit more manual. You need to inspect
the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects to see what has been configured for your system. The subkeys
are class IDs, which will correlate to another area in the registry. In each
subkey, you might or might not have a descriptive tag for the Browser Helper
Object that the class ID represents. Figure
4, shows a view of this section of the registry.
You can skip the class IDs for the Browser Helper Objects that have a descriptive
tag and whose applications you recognize as valid. All other class IDs are worth
investigating. Make a list of them, then look in the HKEY_CLASSES_ROOT\CLSID
subtree for the unique class IDs you've identified. Figure
5, shows a suspicious class ID that I found and isolated.
Two things stand out about this Browser Helper Object. First, in the Browser
Helper Object registry subkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects, this item didn't have a description associated with it. Second,
when I look at the class ID details, I see that it calls a DLL directly from
the Windows %SystemRoot% directory for my system. My cross-referencing of the
DLL against the Microsoft site shows that it's not a valid part of the OS. Therefore,
the Browser Helper Object is highly suspect and a likely candidate for removal.
To remove the Browser Helper Object completely, remove the references from both
registry subkeys (the Browser Helper Object subkey and the CLSID subkey), then
delete any .dll or .exe files named in the CLSID subkey.
Instead of going through that manual effort, you might want to use the Microsoft
Windows Defender antispyware application. Installing Defender on a system infected
with spyware is probably the quickest and easiest method of getting rid of unwanted
executable code on a user's workstation.
Removing unwanted executable code from a system in your organization isn't
a pleasant task, but it isn't an impossible one either. Through careful planning,
policy development, and architecture design and implementation, you can significantly
decrease the chances that users will bring unwanted code into your organization.
But if or when some piece of malware does make it onto one of your systems,
you now have some tools for getting rid of it.