One of the easiest ways to implement relatively powerful malware is to make use of the built-in browser extensibility offered by leading browser vendors – commonly known as browser plug-ins. For example, in Microsoft Internet Explorer, a BHO (Browser Helper Object) is a DLL that will be loaded by the browser each time the browser is started. Moreover, browser plug-ins can easily interact with the browser’s internal data structures, most notably the DOM (Document Object Module) using a standard and rich API offered exactly for plug-ins to be able to extend the browser behavior. So typically a plug in can register to events such as navigations, keystrokes and page loads/unloads, and a plug in can read and modify page data and navigation data.

But it’s even easier than that. Instead of developing BHOs from scratch, the malware author can actually use free source code example as his/her code-base, applying minor changes to the “proof of concept” code in order to make it malicious. Malware authors who know very little about Windows and Internet Explorer internals can produce malicious BHOs in a matter of few hours.

Here are few examples of finding BHOs (complete with source code) that can be used as a code base for malware:

  • Googling for the keywords “BHO”, “password” and “source” yields the following link at the 1st place: http://www.codeproject.com/KB/atl/loginmgrasp.aspx (C++ BHO captures login submissions by subscribing to browser events and correlating them with DOM data)

  • Googling for the keywords “BHO”, “password” “source” and “C#” yields the following link at the 1st place: http://www.codeproject.com/KB/cs/Attach_BHO_with_C_.aspx (explains how to create a BHO project from scratch, in C#. Simple example of POST request capturing).

  • Googling for the keywords “BHO”, “keyboard” and “source” yields the following link at the 1st place: http://www.wischik.com/lu/programmer/bho.html (C++ BHO that demonstrates capturing keystrokes and clicks, and manipulating the DOM).

While the examples clearly do not carry malicious intention, they provide most of the necessary functionality a malware author may desire.

Unfortunately, the convenience of using BHOs as a vehicle for malware did not escape the attention of malware authors, and indeed, malwares have been using BHOs for several years now. We observed flavors of MPack and NetHell which use BHO to record navigation data (POST requests) and transmit them to an external site. Since login credentials are typically sent via POST forms, capturing POST data has become almost a standard practice for malware. And a BHO is in an optimal position to do so, since it can easily subscribe to such browser events.

 
Privacy PolicySitemap

Copyright ©2011 Trusteer. All Rights Reserved.