KAKAROTO SAN
Eternal Poster
- Joined
- May 9, 2016
- Posts
- 1,196
- Reaction
- 566
- Points
- 396
What’s zip bomb?
A zip bomb, also known as the zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is openly employed to disable antivirus software in order to create opening for traditional types of viruses.
Rather than highjacking the normal operation of a program, the zip bomb allows a program to work as intended, the archive is carefully crafted so that unpacking it i.e if an antivirus scans the zip file for viruses, will require an inordinate amount of time, disk space or memory.
But as everything, it has certain limitations of course. This zip file is a very tiny zip file most of them are measured in Kilobytes.
Now, you may have lots of questions like
1) Why is it so tiny?
2) Why call it a zip BOMB when it’s so tiny?
3) How is it so small?
4) How does it work?
5) How to avoid it?
So here are your answers:
1) Why is it so tiny?
Zip bomb is a tiny zip file. Now it is made so tiny to avoid suspicion. It’s obvious ain’t it? You don’t want to tell the police you are a thief, you make it look different. It is made tiny because of compression of huge amount of data and the reason it being tiny makes using it a “pure häçker like mentality”
2) Why call it a zip BOMB when it’s so tiny?
Never underestimate smaller ones. It is called zip bomb or zip of death because it contains up to terabytes, petabytes or even exabytes of data.That’s the key to clear out malware and hence blocking every obstacle in its path leaving a straight Asphalt. Now you will certainly want to know, how is it possible to complete such large a files into a zip file of such small size. Don’t worry you will get your answers further. A simple example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3-gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data. This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear. There are also zip files that, when uncompressed, yield identical copies of themselves.
3) How is it so small?
Nowadays various compression tools make use of the term called “lossless compression algorithm”. As the name suggests this algorithm strives to compress files without any loss of information, which is very important of course. We don’t want to lose any information while we compress files. To show how this zip file works, let me tell about its simple principle. The computer only understands binary language i.e 0’s and 1’s. So every file in order to be understood by a computer must in binary i.e 0,1 format. If we take a binary number “0 1 0 0 0 1 1 1” and let’s say we have a tool to compress it to a number like “0 1 3 0 3 1”? The same logic applies here. In the initial binary number, there were 3 o’s and 3 1’s starting from 3rd digit. we just replaced it with 30 and 31. Now, this might not be the exact logic that governs the compression but corrects up to a certain extent. Thus the zip bomb which will contain only 0’s and 1’s will work in this way making copies of some files again and again and compressing them into a single zip file resulting it to throw up data of about terabytes, petabyte or exabytes.
Make a text file with only 0’s and 1’s. Make a copy of it.
Type upto 1000 zeros and just do “Ctrl+a”, “Ctrl+c”,”Ctrl+v”.
Do it until the text file begins to lag.
The size should be more than 1 Gigabyte.
Then compress it and see the magic. The compressed file will be arond 1 Megabyte.
4) How does it work?
Zip bomb contains about petabytes of data, this if an antivirus tries to scan it, it will start to decompress it first. But just imagine what will happen if a file of about a kilobyte is decompressed and we get a file of about a few or more petabytes. The answers simple, before the zip file is completely scanned the antivirus will crash, creating a loophole for attackers.
5) How to avoid it?
1. Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.
2. Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here
3. The moment you zip the first layer and find so many multiple files with weird numbering, you'd automatically know. There is no autoextracting sfx archive zip bomb that I know of.
4. If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose
5. Check a zip header and if there's something weird then do not extract it.
That’s all. Thanks as always for reading this post.
CREDIT TO: MR. GOOGLE AND WIKI WIKI.
A zip bomb, also known as the zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is openly employed to disable antivirus software in order to create opening for traditional types of viruses.
Rather than highjacking the normal operation of a program, the zip bomb allows a program to work as intended, the archive is carefully crafted so that unpacking it i.e if an antivirus scans the zip file for viruses, will require an inordinate amount of time, disk space or memory.
But as everything, it has certain limitations of course. This zip file is a very tiny zip file most of them are measured in Kilobytes.
Now, you may have lots of questions like
1) Why is it so tiny?
2) Why call it a zip BOMB when it’s so tiny?
3) How is it so small?
4) How does it work?
5) How to avoid it?
So here are your answers:
1) Why is it so tiny?
Zip bomb is a tiny zip file. Now it is made so tiny to avoid suspicion. It’s obvious ain’t it? You don’t want to tell the police you are a thief, you make it look different. It is made tiny because of compression of huge amount of data and the reason it being tiny makes using it a “pure häçker like mentality”
2) Why call it a zip BOMB when it’s so tiny?
Never underestimate smaller ones. It is called zip bomb or zip of death because it contains up to terabytes, petabytes or even exabytes of data.That’s the key to clear out malware and hence blocking every obstacle in its path leaving a straight Asphalt. Now you will certainly want to know, how is it possible to complete such large a files into a zip file of such small size. Don’t worry you will get your answers further. A simple example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3-gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data. This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear. There are also zip files that, when uncompressed, yield identical copies of themselves.
3) How is it so small?
Nowadays various compression tools make use of the term called “lossless compression algorithm”. As the name suggests this algorithm strives to compress files without any loss of information, which is very important of course. We don’t want to lose any information while we compress files. To show how this zip file works, let me tell about its simple principle. The computer only understands binary language i.e 0’s and 1’s. So every file in order to be understood by a computer must in binary i.e 0,1 format. If we take a binary number “0 1 0 0 0 1 1 1” and let’s say we have a tool to compress it to a number like “0 1 3 0 3 1”? The same logic applies here. In the initial binary number, there were 3 o’s and 3 1’s starting from 3rd digit. we just replaced it with 30 and 31. Now, this might not be the exact logic that governs the compression but corrects up to a certain extent. Thus the zip bomb which will contain only 0’s and 1’s will work in this way making copies of some files again and again and compressing them into a single zip file resulting it to throw up data of about terabytes, petabyte or exabytes.
Make a text file with only 0’s and 1’s. Make a copy of it.
Type upto 1000 zeros and just do “Ctrl+a”, “Ctrl+c”,”Ctrl+v”.
Do it until the text file begins to lag.
The size should be more than 1 Gigabyte.
Then compress it and see the magic. The compressed file will be arond 1 Megabyte.
4) How does it work?
Zip bomb contains about petabytes of data, this if an antivirus tries to scan it, it will start to decompress it first. But just imagine what will happen if a file of about a kilobyte is decompressed and we get a file of about a few or more petabytes. The answers simple, before the zip file is completely scanned the antivirus will crash, creating a loophole for attackers.
5) How to avoid it?
1. Make sure you are not using your system drive for temp storage. I am not sure if a virusscanner will check it if it encounters it.
2. Also you can look at the information inside the zip file and retrieve a list of the content. How to do this depends on the utility used to extract the file, so you need to provide more information here
3. The moment you zip the first layer and find so many multiple files with weird numbering, you'd automatically know. There is no autoextracting sfx archive zip bomb that I know of.
4. If the ZIP decompressor you use can provide the data on original and compressed size you can use that data. Otherwise start unzipping and monitor the output size - if it grows too much cut it loose
5. Check a zip header and if there's something weird then do not extract it.
That’s all. Thanks as always for reading this post.
CREDIT TO: MR. GOOGLE AND WIKI WIKI.