Browser Helper Object

What is a Browser Helper Object?

A Browser Helper Object (or BHO) is a type of plug-in that works on the Internet Explorer browser. It is a DLL module or an independent part of a program that can perform an individual function. The application adds particular features to the Internet Explorer browser to improve or expand its functions. BHOs first appeared in 1997, ever since Internet Explorer 4 came out.

Unfortunately, malware creators may also make use of some BHO functions to create a malicious program that can track your online activity and expose you to dangerous websites that are part of malware distribution networks. This entry will explain the basic points about a BHO, and it will also cover several infections that are based on the BHO principle.

Before we go deeper into the subject, we would like to point out that BHO is a dated browser feature, and in many cases, it is no longer relevant. Since the DLL module was designed as an Internet Explorer plug-in, it does not work on other browsers. And while BHOs can still work on Windows 10 via Internet Explorer 11, the new Microsoft browser Edge does not support browser helper objects. Hence, the potential threats posed by these plug-ins are bound to disappear gradually.

How Does a BHO Work?

A regular BHO works at a Windows Registry level. All the Internet Explorer plug-ins that are installed on your computer create a unique CLSID registry key (a class identifier) and add value with data to it at the following directory:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Each time you launch Internet Explorer, the program automatically goes through its registry keys, and if it finds something under the Browser Helper Objects key, it immediately searches for a CLSID key that should be listed below the main key. There might be many class identifiers there, depending on how many BHOs you have installed.

Types of BHO

There are many types of a browser helper object, starting from the ones that make visible modifications to the Internet Explorer web browser to the ones that do not have any visual traces of their presence. BHOs could also be classified according to their function. Take, for example, a plug-in that can expand the browser’s functionality by allowing it to display different file types. Internet Explorer may not support particular file types, but with a specific plug-in installed, you should be able to open those documents. The most common example of such a BHO would be the old Adobe Acrobat plug-in that enables Internet Explorer to open PDF documents.

Another common type of BHO is a toolbar. Toolbars are visual browser helper objects that are added right below your address bar or the bookmark bar. According to one definition, it is a “graphical control element” that improves your browser’s functionality. The functions of a specific toolbar depend on its type. Some may provide you with a list of affiliated websites, shortcuts to supported pages, and a customized search box. Perhaps the best example of a custom toolbar for the Internet Explorer toolbar would be Google Toolbar.

Despite the potential benefits of having a BHO on your browser, there are also specific security concerns associated with this plug-in. Most of them are associated with the over-reaching functions of a browser helper object.

Why Can a BHO Be Dangerous?

Due to the particular perks of its programming, a BHO can actually control the navigation of the web page you are currently on. Naturally, it does not do that in an intrusive way, but that also means these plug-ins have unlimited access to Internet Explorer, and this feature might as well be exploited by cybercriminals. Therefore, it should not come as a surprise that there are quite a few malware programs based on the BHO model.

What’s more, we have mentioned already that there are BHOs that do not change anything in your browser visually. That is why, if a malicious infection is created as one of such plug-ins, it is possible to conceal its actions for quite some time. Before the user figures out that there is something off with their plug-ins, such an infection might cause a lot of harm.

Examples of Actual BHO Infections

Although there are particular types of infections that can be classified as malicious BHOs, some of them are nothing more but malware files that are detected by antispyware products. For example, there is a detection called BrowserModifier:Win32/Kerlofost. It is actually a DLL file that can be embedded in various programs. This file will be registered as a BHO, and it can modify the Internet Explorer settings behind the user’s back. At the same time, it can redirect web searches, collect information on web browsing history, and even display pop-up advertisements.

There are many malware infections that register themselves as BHOs and then exhibit similar infection symptoms. For example, there are multiple versions of a trojan infection Trojan:Win32/BHO. It usually gets installed on the target computer with other malware, and then it works in the system background without the user even realizing it.

At the same time, there are also the so-called gray zone programs that are supposed to be legitimate browser helper objects, and yet computer security specialists say that they should not be trusted. Perhaps the most famous examples could be the BHOs used in the Conduit Toolbar.

Conduit Toolbar refers to a number of browser plug-ins developed by the Conduit company. Examples of the Conduit products would include KeyBar Toolbar, Travelocity Toolbar, DivX Toolbar, and many other browser plug-ins developed on the same engine. The content of the toolbar could be customized according to the developers’ requirements, so basically, anyone could make their own toolbar via the Conduit engine.

This presented particular security concerns that were pointed out by computer security specialists at once. It could collect web browsing information without informing the user, and some critics even said that it was a browser hijacker because the toolbar would change the default search engine. Depending on the classification, this toolbar was also considered to be a potentially unwanted program and a malware application.

How to Avoid Malicious BHOs?

As you can see from this entry, BHO can be considered a subcategory of a browser plug-in. It may also overlap with the definition of a toolbar, browser hijacker, potentially unwanted program, and malware. Potentially unwanted programs and even trojans could be created and registered as BHOs on the target computer.

Therefore, it has always been important to protect target systems from potential exploitation by preventing an unwanted BHO installation. The most efficient way to secure the system against potential threats has been and still is investing in a licensed anti-malware application. When it comes to trojan BHOs and trojans in general, it would be hard to detect and remove them on your own. Trojans are stealthy malicious programs, and only professionals should be dealing with them.

Then, you should also avoid unfamiliar websites, especially those that indulge in freeware distribution. If a website displays a lot of pop-ups, it is the first sign that you should be careful about it. Please remember that BHOs, potentially unwanted programs, and other undesirable freeware can easily enter your computer in a software bundle.

Finally, be sure to steer clear of spam email messages. Just because the subject of the message looks alluring, do not be so hasty as to click the embedded link or open the email attachment. Without even realizing it, you could install a malware-related BHO or any other dangerous app on your PC.