What is a zip bomb?
A zip bomb, zip of death, or decompression bomb is a malicious archive file that crashes the program or the system that tries to read it. Usually, a zip bomb consists of a compressed file such that when a program tries to decompress it, it takes a huge amount of time, disk space, or memory. As a result, the program or the system crashes.
Where is a zip bomb used?
A zip bomb is normally used by an attacker to disable anti-virus software so that the computer can be easily infected by malware.
It is usually a small compressed file, which does not create much suspicion. But, when a program tries to decompress it, its contents become larger than the program or the system can handle. As a result, when an anti-virus program tries to scan it, it ends up crashing.
How does a zip bomb work?
A zip bomb typically contains layers of nested zip files. When the compressed file is decompressed recursively, the size of the decompressed file ends up being in petabytes.
To give an example, 42.zip is a popular zip bomb. It consists of 42 kilobytes of compressed data. This compressed file has five layers of nested zip files. And each layer consists of 16 compressed files, where each compressed file consists of 4.3 gigabytes of data after decompressing. So, in total, the zip bomb will consist of 4.5 petabytes of data when it is decompressed.
How to prevent zip bombs?
Most of the recent anti-virus programs are capable of preventing zip bombs. Usually, in anti-virus scanners, only a few layers of recursion are performed on archives. And zip bombs often repeatedly use identical files. So, dynamic programming methods are used to detect them and limit their expansion.
The above article gives a brief overview of zip bombs. Interested readers who want to know more about how various malware and cyberattacks work and how to prevent them may want to refer to the book “A Guide To Cyber Security.”
0 Comments