Threat Description

JBellz

Details

Category: Malware
Type: Trojan
Platform: W32
Aliases: JBellz, Trojan.Linux.JBellz

Summary


JBells is a trojan embedded into malformed MP3 files. The trojan uses a vulnerability in mpg123 which is a command-line MP3 player for Linux and other *NIX systems. When the trojanized MP3 is played with a vulnerable version of mpg123 a routine is started that deletes the current user's home directory and it's content.

The latest development version of mpg123 (0.59s) was tested and found to be vulnerable to this attack, while the latest stable version (0.59r) is not vulnerable.

The original exploit code generates ready to distribute trojanized MP3s for Suse 8.0 and Slackware 8.0 distributions.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The exploit code generates an MP3 file with malformed header that causes a buffer overflow in mpg123's header parsing code. The malicious buffer is constructed so that it calls a command shell with a one-line command that removes the user's home directory recursively.

Even though the original exploit contains settings for the distributions mentioned above it is unfortunately easy to modify the exploit code to affect other Linux distributions and versions as well. Because of this users of vulnerable mpg123 versions are advised to change their mpg123 to a non-vulnerable version, regardless of their distribution.





Technical Details:Gergely Erdelyi; F-Secure Corp.; January 15th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More