Browser Helper Objects - Infection with Extensibility - Simbar

A Browser Helper Object is a relatively small plug-in for Internet Explorer (IE) that provides extended functionality. As these objects are not part of the baseline software, it crucial to verify their authenticity. Even if the state is verified, these objects can still be exploited and manipulated to perform rogue functions within the system itself.

There are no stringent integrity checks on these helper objects which leaves them open to exploit.They can be used to enable drive by download attacks or to steal sensitive information from the victim computer. Usually, a BHO is a dynamic link library (dl) that provides an advanced set of features to IE. It uses a standard hooking procedure to control the dynamic objects by rendering code in a JavaScript interpreter. The BHO also makes changes in the IE interface to execute differential calls while providing an extra toolset that could allow malware writers to design their own rogue BHO.

The details of BHO development can be found HERE

IE reveals sensitive information in the “User-Agent” field for some of the verified BHO. Recently a lot of infections have occurred through Adware.Simbar. The way to look into this type of BHO is to find a vulnerable point through which information is sent back to the attacker controlled system. Armorize conducted a small test on the Simbar BHO and found that it is the most commonly exploited BHO. Simbar is a small program designed to show advertisements in various form and with varying degrees of intrusiveness on the end-user computer. It often reports personal information back to its owners violating the end-user privacy)

The Simbar is installed as

A generalized definition:“Simbar is a BHO toolbar that also changes the default home page and search page of the browser without user consent or knowledge. Since it’s installed as BHO it can monitor everything being sent and received by your browser including information like username/password send using secured protocol.

Major Risk: It turns victim computer into bots by exchanging information through the browser. It is supported by major bots that infect computers through browser inter protocol communication model. This is confirmed through the information sent in the User Agent field. Potential impacts on the system are as follows:

1.Unwanted display of advertisements in Internet Explorer.
2.Tracking of user browsing activity through installed infected toolbar
3.Installation and downloading of malicious programs into system
4.Disclosing user system information thereby breaching privacy benchmarks.

An infected IE sends the User Agent string as follows:

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SIMBAR={8E94F616-2CF0-11DE-83FE-001422DDFEBA}; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )

Usually, Simbars are not verified but in this case, the verified version is installed in IE. This behavior leaks sensitive information about the objects which can be used in Active X Exploitation attacks thereby allowing users to visit the attacker-controlled malicious web pages. The registry shows appropriate entries as:

Simbar objects are used extensively in bot infections. The best practice is not to install these objects but if you chose to do so your PC will become just one more part of a larger exploitation network.
Read more (rest of article)...