ABrowser Helper Object (BHO) is aDLLmodule designed as aplugin for theMicrosoftInternet Explorerweb browser to provide added functionality. BHOs were introduced in October 1997 with the release ofversion 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case ofWindows Explorer, a new instance is launched for each window.
BHOs are still supported as of Windows 10, throughInternet Explorer 11, while BHOs are not supported inMicrosoft Edge.
Each time a new instance of Internet Explorer starts, it checks theWindows Registry for the keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. If Internet Explorer finds this key in the registry, it looks for aCLSID key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supportsCOM.[1]
Some modules enable the display of different file formats not ordinarily interpretable by the browser. TheAdobe Acrobat plug-in that allows Internet Explorer users to readPDF files within their browser is a BHO.
Other modules add toolbars to Internet Explorer, such as theAlexa Toolbar that provides a list of web sites related to the one you are currently browsing, or theGoogle Toolbar that adds a toolbar with a Google search box to the browseruser interface.
The Conduit toolbars are based on a BHO that can be used onInternet Explorer 7 and up. This BHO provides a search facility that connects toMicrosoft'sBing search.
The BHOAPI exposeshooks that allow the BHO to access theDocument Object Model (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms ofmalware (such as adware and spyware) have also been created as BHOs.[2][3]
For example, theDownload.ject malware is a BHO that is activated when a secureHTTP connection is made to a financial institution, then begins torecord keystrokes for the purpose of capturing user passwords. TheMyWay Searchbar tracks users' browsing patterns and passes the information it records to third parties. TheC2.LOP malware adds links and popups of its own to web pages in order to drive users topay-per-click websites.[citation needed]
Many BHOs introduce visible changes to a browser's interface, such as installing toolbars inInternet Explorer and the like, but others run without any change to the interface. This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions. For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.[4]
In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted anAdd-on Manager inInternet Explorer 6 with the release ofService Pack 2 forWindows XP (updating it to IE6 Security Version 1, a.k.a. SP2). This utility displays a list of all installed BHOs,browser extensions andActiveX controls, and allows the user to enable or disable them at will. There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions.Spybot S&D advanced mode has a similar tool built in to allow the user to disable installed BHO.
