A ” bomb zip 46 Mb reached 4500 To after decompression


You certainly know the concept of “bomb zip”. Behind this name rather explicitly hides a compressed file (the format most well-known being the .zip, hence the name) created by a malicious user to cause damage to the targeted device. These “zip bomb” is to differentiate compressed files classic by the huge amount of data they ship. In the decompression, the archive seemingly harmless, are potentially going to release hundreds of thousands of GB of data on its target, hence the name “bomb”.


In early July, the developer David Fifield has managed to create a zip bomb of a new type, with not less than 4,500 TB of data in compressed in a Zip file… 46 MB. A compression ratio of 28.000.0000… In comparison, this would equate to get the Earth in a cube of 34x34x34 meters.


It is not the first time that such a large amount of data is piled up in a Zip file : some of the bombs have done at least as well, as the famous 42.zip with its 4.5 PB (or 4.500 TB, or 4.500.000 GB).


This makes the job of Fifield interesting, this is the technique used. So far, all the huge zip bombs as 42.zip used all compression recursively to multiple levels. In the case of 42.zip it contains 16 other files .zip, each of which contains 16 other zip files… all on 5 floors, with at the end of each string a file of 4.3 GB.


Fifield, him, has managed to create its enormous zip bomb without compression recursive ! This gives it some peculiarities : the most obvious is that the entire file can be decompressed in a single cycle and, therefore, “explode” in one fell swoop. The author states that an expansion even higher is possible, with extensions to 64-bit. He also explained that his work has been realized thanks to the compression algorithm the most common, named DEFLATE, and therefore it is compatible with the majority of parsers zip.


But another consequence is more pernicious is that at the present time, a good part of the antivirus does not detect this process. 01Net has tested the file on the multi-antivirus online VirusTotal, to mixed results : a good part of the antivirus there saw that the fire. But, according to Fifield, the detection of this type of bomb would be “easy” and it would not therefore be only a matter of time before the antivirus integrate it all.


We, therefore, rely on the good faith of each to not do it to unpack to a user who has not been warned : the damage could be considerable..

Comments