Zip bomb
A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses.
Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it (e.g. by a virus scanner in order to scan for viruses) requires inordinate amounts of time, disk space or memory.
Most modern antivirus programs can detect whether a file is a zip bomb, to avoid unpacking it.[1]
Details and use
A zip bomb is usually a small file for ease of transport and to avoid suspicion. However, when the file is unpacked, its contents are more than the system can handle. The technique was used on dialup bulletin board systems in the past.[2]
Another example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3-gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data.[3] This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear.
There are also zip files that, when uncompressed, yield identical copies of themselves.[4][5]
Incidents
In 2011 HBO and Sony were alleged in hiring "hackercenaries" (Hackers for Hire), using some of their subsidiary firms in their fight against piracy and to mislead and tamper with torrent and usenet files. The group was alleged in re-posting movies using known piracy names in order to mislead suspected downloads into thinking the files were posted by verified and "safe" legitimate "pirate groups or previous good posters".
In April, 2012 the hackers anonymous group reported that they uncovered and found infected .MKV files with these decompression bombs, at which time was thought to be impossible due to the nature and size of MKV files and how the contents are packed, making it difficult to execute any malicious code in a runtime environment. However, most video players that read MKV files, unpack the contents into memory checking for subtitles, or other audio tracks, etc, which allows for malicious code or files embedded within the mkv to be opened by the player and executed. Since most users believed that video files are safe, many ignored the warnings and even most mainstream virus scanners ignored large files or video/audio files in general.
As a result of several of these outbreaks, anti-virus scanners now offer the option to scan for decompression bombs, however the process is time and memory consuming due to the size of most files, and as a result infections rates remain steady as novice users continue to ignore headed warnings. Most mainstream scanners like Avira, Avast , AVG have the option to check for malware bombs, but must be enabled by the user.[6]
Once a decompression bomb is able to execute, it usually attempts to connect to a BotNet or C&C (Command and Control) server, and downloads the actual payload (Malicious File) , thus many bombs can be thwarted by simply disabling internet access to the video player, and not using built in features like auto-subtitle downloads, updates, albums names, etc.
Although still speculation, the 2013 and 2014 HBO/Sony Hacks were thought to be retaliation by several piracy groups for using their "PseudoNames", which in the computer hacker or underground world is considered sacred ground and use of another hacktivist's name is forbidden.
See also
- Billion laughs, a similar attack on XML parsers
- E-mail bomb
- Logic bomb
- Fork bomb
- Busy beaver, a program that produces the maximal possible output before terminating
References
- ↑ Bieringer, Peter (2004-02-12). "AERAsec - Network Security - Eigene Advisories". Retrieved 2011-02-19.
- ↑ "DFS #55". Retrieved 2012-10-05.
- ↑ "42.zip".
- ↑ "Zip Files All The Way Down".
- ↑ "ZIP File Quine".
- ↑ https://support.avast.com/index.php?topic=8943.45
External links
- "DoS risk from Zip of death attacks on AV software?", 2001 story on "The Register"
- "Zip Files All The Way Down", 2010
- ZIP File Quine
- Zip Bomb
- 42.zip and 42.zip
- Decompression bomb vulnerabilities