topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:35 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Zip File Bombs  (Read 7860 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Zip File Bombs
« on: July 27, 2008, 11:27 AM »
This is a cool and clever and nasty idea, especially with antivirus tools trying to automatically unpack zip files to analyze them.. I hope they know to watch out for this.

In 2001 reports about Zip Bombs or Zip of Death attacks made the round on the Internet and I thought it would be nice to write about one shiny harmless example of that technique. On first glance the file 42.zip is a normal compressed file with the size of 42 Kilobytes. Many users who run a virus scanner will probably run into troubles downloading that file to their computer.

It still looks like a normal 42 Kilobyte archive after the download but the surprise begins when the user tries to unpack that file. What they did was basically pack a 4.3 Gigabyte file consisting only of zeros. That packed file was replicated 16 times and packed again, and again, and again, and again. Or, to use their own words:

The file contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped, which again contains 16 zipped files, which contain 1 file, with the size of 4.3GB.


Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #1 on: July 27, 2008, 11:46 AM »
Wow, thats just evil. I have to sit back and stare in awe that this is happening. Its a fantastic idea.

yotta

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 50
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #2 on: July 27, 2008, 11:51 AM »
wow ;D, we have to make one of them!

kartal

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 1,529
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #3 on: July 27, 2008, 11:57 AM »
uhmm, reminds me of the number "42 " from The Hitchhiker's Guide to the Galaxy from Douglas Adams.

nosh

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,441
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #4 on: July 27, 2008, 01:50 PM »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #5 on: July 27, 2008, 03:37 PM »
Really "cute" hack. Simple, elegant, and nasty. And difficult to detect unless you're specifically looking for it. Sad to see it's back again. 



Wasn't/isn't there an AV product that used to allow you to autoflag as suspicious any archive that nested more than nn-levels deep? I seem to remember there was one that did. Problem is I've dated so many that I can't remember names.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Zip File Bombs
« Reply #6 on: July 27, 2008, 11:21 PM »
Make each an SFX that extracts the next level... :)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Zip File Bombs
« Reply #7 on: July 28, 2008, 10:17 AM »
Oh, I thought this was going to be about the MAC OSX zip vulnerability that lets you auto-wipe a harddrive, and was going to make a snide remakr that "OSX HAS NO VIRUSES OMFG!", but... oh... I ended up making that remark anyway :)

Hm, 4.3 gigs (DVD ISO size, btw) of zeroes? Yeah, you can fill a harddrive, and there will be some decompression time. But at least if you use NTFS, you won't be spending time writing that data to disk :)
- carpe noctem

electronixtar

  • Member
  • Joined in 2007
  • **
  • Posts: 141
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #8 on: July 28, 2008, 03:45 PM »
I've seen one of this before. kb size .zip turned out to be 2GB 0x00  ;D

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #9 on: July 28, 2008, 04:14 PM »
Old trick, I didn't check the rest of the scanners, but avast! and a-squared detect compressed file bombs without problems. What's more, avast! usually ignores compressed files if the decompressed size surpass a certain value.

Besides, apart from leaving the computer unusable (an offline DoS attack), there's really no much use to them for malware writers. Well, you will be pissed for a few seconds before reaching for the "Reset" button ;D

Wasn't/isn't there an AV product that used to allow you to autoflag as suspicious any archive that nested more than nn-levels deep? I seem to remember there was one that did. Problem is I've dated so many that I can't remember names.

AntiVir lets you define the maximum level of recursion in a compressed file (20 as a default), but as far as I know, it just ignores those that go over the limit.
« Last Edit: July 28, 2008, 04:20 PM by Lashiec »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Zip File Bombs
« Reply #10 on: July 28, 2008, 09:42 PM »
AntiVir lets you define the maximum level of recursion in a compressed file (20 as a default), but as far as I know, it just ignores those that go over the limit.

It does.

And thanks! It was Avast I was trying to remember. :)