Exploit??

[barbaz]

Earlier today, while browsing normal sites, I got an alert from Symantec about a file in my SeaMonkey cache containing "Bloodhound.Exploit.33". I'm not used to that kind of alert and I'm no malware expert, but it sounds from the description that it's basically a GIF image with wrong dimensions, and some versions of MSN Messenger on Windows would incorrectly validate it and thus allow attacker code to run at the privilege level of the user.

The following STR would consistently download the "malware" (but it's not happening anymore?):
(Links in code tags and sanitised in case something actually malicious is/was going on here.)
1) Go to

Code: Select all

https www youtube.com/watch?v=UOkremCZO6w

2) Open a new tab, and go to

Code: Select all

https bugzilla.mozilla. org/show_bug.cgi?id=1019021

3) Go back to the first tab, and in the video description, copy the text "Mango - Here We Go (Original Mix)".
4) Open a new tab, and do a Startpage search (from the browser searchplugin) for

Code: Select all

host:youtube.com Mango - Here We Go (Original Mix)

, pasting in the copied text.
That's when I got the alert. No HTTP requests were sent to unexpected domains.

My system came out clean in full scans by both Symantec and ClamXav, so I think it's safe to say I didn't actually get infected, but I do have a couple of questions:
1) Is SeaMonkey 2.27a2 (the latest available of that version) on OS X vulnerable to that exploit at all? (I think no, but not quite 100% sure...)
2) Could it be that there is actually no malware or exploit coming from those websites at all, but just that the cached GIF image wasn't quite "correctly" written to disk due to high CPU usage (initiated by me) at the time I was able to reproduce it?

(Unfortunately, I don't have a copy of the file anymore, nor do I have any way that I know of to preserve it for analysis should I manage to reproduce this again.)

[Giorgio Maone]

A Symantec false positive, most likely.
Anyway, latest Seamonkey just cannot be vulnerable to something discovered in 2005, period.

[barbaz]

Oops, somehow I completely missed the date that exploit was discovered, sorry about that.

Thank you very much for the clarification, Giorgio.

[barbaz]

Reproduced again, and the source is

Code: Select all

startpage.com/cgi-bin/ccspacer?

[therube]

This is all I could get out of it, 7 bytes:

Code: Select all

47 49 46 38 39 61 01   GIF89a.

[barbaz]

That wasn't a direct link - the actual file resides on subdomains of startpage.com and is requested with URL parameters that vary slightly depending the search you do.

If you want an actual URL similar to what I'm working with, disable scripts for startpage.com in NoScript, do a search via their browser searchplugin, and then check something like the Adblock Plus blockable items list. Note also that Symantec doesn't consistently flag the file (I can't figure out what's making the difference), and a quick check indicates that ClamXav does *not* think it's malicious even when Symantec does.