Zip File Bombs

[mouser]

This is a cool and clever and nasty idea, especially with antivirus tools trying to automatically unpack zip files to analyze them.. I hope they know to watch out for this.

In 2001 reports about Zip Bombs or Zip of Death attacks made the round on the Internet and I thought it would be nice to write about one shiny harmless example of that technique. On first glance the file 42.zip is a normal compressed file with the size of 42 Kilobytes. Many users who run a virus scanner will probably run into troubles downloading that file to their computer.

It still looks like a normal 42 Kilobyte archive after the download but the surprise begins when the user tries to unpack that file. What they did was basically pack a 4.3 Gigabyte file consisting only of zeros. That packed file was replicated 16 times and packed again, and again, and again, and again. Or, to use their own words:

The file contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped, which again contains 16 zipped files, which contain 1 file, with the size of 4.3GB.

http://www.ghacks.ne...d-make-45-petabytes/

[Josh]

Wow, thats just evil. I have to sit back and stare in awe that this is happening. Its a fantastic idea.

[yotta]

wow , we have to make one of them!

[kartal]

uhmm, reminds me of the number "42 " from The Hitchhiker's Guide to the Galaxy from Douglas Adams.

[nosh]

Hah!

[40hz]

Really "cute" hack. Simple, elegant, and nasty. And difficult to detect unless you're specifically looking for it. Sad to see it's back again. 



Wasn't/isn't there an AV product that used to allow you to autoflag as suspicious any archive that nested more than nn-levels deep? I seem to remember there was one that did. Problem is I've dated so many that I can't remember names.

[Renegade]

Make each an SFX that extracts the next level...

[f0dder]

Oh, I thought this was going to be about the MAC OSX zip vulnerability that lets you auto-wipe a harddrive, and was going to make a snide remakr that "OSX HAS NO VIRUSES OMFG!", but... oh... I ended up making that remark anyway

Hm, 4.3 gigs (DVD ISO size, btw) of zeroes? Yeah, you can fill a harddrive, and there will be some decompression time. But at least if you use NTFS, you won't be spending time writing that data to disk

[electronixtar]

I've seen one of this before. kb size .zip turned out to be 2GB 0x00 

[Lashiec]

Old trick, I didn't check the rest of the scanners, but avast! and a-squared detect compressed file bombs without problems. What's more, avast! usually ignores compressed files if the decompressed size surpass a certain value.

Besides, apart from leaving the computer unusable (an offline DoS attack), there's really no much use to them for malware writers. Well, you will be pissed for a few seconds before reaching for the "Reset" button

Wasn't/isn't there an AV product that used to allow you to autoflag as suspicious any archive that nested more than nn-levels deep? I seem to remember there was one that did. Problem is I've dated so many that I can't remember names.

-40hz (July 27, 2008, 03:37 PM)

AntiVir lets you define the maximum level of recursion in a compressed file (20 as a default), but as far as I know, it just ignores those that go over the limit.

[40hz]

AntiVir lets you define the maximum level of recursion in a compressed file (20 as a default), but as far as I know, it just ignores those that go over the limit.

-Lashiec (July 28, 2008, 04:14 PM)

It does.

And thanks! It was Avast I was trying to remember.