[Background] --- [Download] --- [To Dos] --- [Suggested Usage] --- [References]

Remote BHO Scanner

Centralized Adware and Spyware Detection on Corporate Networks

One of the more common methods used by spyware is to launch themselves upon system startup by adding themselves to the registry entries associated with startup. Another very popular methods used by spyware is to integrate itself with Internet Explorer via a Browser Helper Object (BHO).

Browser Helper Objects

A Browser Helper Object (BHO) runs automatically at the startup of a userís Internet Explorer Browser (or new browser window) and integrates with Internet Explorer and is used by IE for assistance. Many BHOs were created for legitimate purposes and add extra functionality to Internet Explorer, such as adding a search bar or opening an Acrobat document within a browser window.

Unfortunately, BHOs are also used by spyware and adware, to monitor and track your internet usage, or to serve up unwanted advertising and popups.

Therefore, one way to detect if spyware or adware has been installed on a computer is by the presence of an unauthorized BHO. (Other ways include new startup items and processes..)

A CLSID is supposed to be a unique identification tag that's associated with a BHO (and other objects). I think of them as file extensions--there should to be a unique file extension associated with each installed application.

Some of the popular anti-spyware and anti-adware tools keep databases of CLSIDs, BHOs, and startup items associated with adware, spyware and other types of malware. However, some of the more evil malware programs will attempt to hide their existence by morphing themselves just enough to avoid detection until the next version of the detection software comes out. This includes using random file names and random CLSIDs.

One of the most complete databases of CLSIDs, from CastleCops, does not add the CLSIDs of these BHOs to their master list, because "the number of possible names and combinations could therefore literally run into the billions" (http://castlecops.com/postt7736.html, http://computercops.biz/print-1-7736.html.

How does one identify these randomly-named CLSIDs? How do we detect an adware or spyware infection if the same spyware will have totally different CLSIDs on two different machines?

Centralized Malware Detection

The vast majority of spyware scanners need to run on the user's local machine in order to detect the presence of adware or spyware and are not designed to remotely detect spyware. (Many of us have attempted to run a scan on a user's remotely mounted hard drive or registry files with poor results.)

Being able to proactively monitor or scan a network for spyware and adware would aid in the fight by catching an infection as early as possible.

One of the more interesting network-based malware detection techniques uses snort to detect malware. There are a bunch of snort signatures which match traffic patterns of known spyware, adware, and malware. Many of these signatures have been conveniently aggregated into "bleeding malware" rules located on the Bleeding Snort web site.

When a partnership between Nessus and Bleeding Snort was announced, I was immediately interested, because I didn't know of any "Open Source" or "GPL" remote malware scanners.

Because, as mentioned earlier, there are so many possible combinations of CLSIDs, my preference was to actually keep a list of "approved" BHOs, scan each machine, and flag those which weren't on the "approved" list.

While I was researching (on my own time) how to program such a Nessus plugin (and not being very sucessful), I noticed references to "TieRegistry" and downloaded a script called SrvCpuMem.pl which opens a remote registry and reports the CPU and memory size for each server in a domain. (The original script is located at http://www.roth.net/perl/scripts/scripts.asp?SrvCpuMem.pl and I wish to thank Paul Popour and Roth Consulting for releasing their scripts into the public domain. )

The script was extensively rewritten to report on BHOs instead of CPU and memory information for the remote desktops. I also added a "bhoignore" file which would ignore those "approved" BHOs (who wants to see a list of Acrobat Reader BHO's on every machine?), as well as an option to only report on BHO's considered malware by the CastleCops BHOList. (Thanks to CastleCops for publishing this list and giving us permission to use it.) I also added code to flag "unknown" CLSIDs, which are not on the CastleCops list, because those would likely be malware using random CLSIDs.

Remote BHO Scanner Download

This initial alpha release can be found at Sourceforge and on the Bleeding Snort website. The program requires a computer running Windows, Activeperl and TieRegistry.

The program scans the remote nodes in a network for all installed BHOs. (The host computer must be a member of the domain and have rights to read the registry of the remote machine.) The program outputs reports in simple html format as well as a tab-delimited file for import into a spreadsheet.

It has been tested on W2K server as well as an AD domain but should be considered late alpha to early beta software. It is free software and can be redistributed or modified it under the terms of version 2 of the GNU General Public License with only minor modifications (the full license can be found in the download page).

To Dos

There are many TODOs, such as adding extra scanning functionality to scan by ip address or specific host name. Other registry entries, such as Startup Entries, Toolbars, remote host files, etc. need to be added. I am also looking for volunteers to help test the program as well as extend the code.

Known Bugs

There is one known bug, which I have been unable to recreate. On certain machines, the program bombs while checking the BHOIgnore file with the list of installed BHOs. A workaround is to leave the BHOignore file empty. (I believe the problem may be due to wildcard entries in the CastleCops BHOList.)

Suggested Usage

Run the program with an empty ignore file in order to create full report of all computers logged into the domain and what BHOs have been loaded. Import the remotebhoreport.txt into a spreadsheet and play with the data and get a baseline. Then add valid BHOs to the bhoignore.txt file and delete those from the spreadsheet. Examine what is left (which has been installed despite any anti-spyware countermeasures you may have, such as locking down machines, educating users, personal firewalls, anti-virus programs, etc.

Please remember this is not a malware removal tool. The program scans remote nodes in a network for installed BHOs, which is one of the tell-tale signs of a malware infection, but doesn't remove them.

Some References

SourceForge.net Logo
Copyright 2005 David Glosser
1david.glosser@1gmail.com1 (remove all numbers from email address).