Archive bomb

An archive bomb (also called a decompression bomb ) is a file with its contents packed by data compression , the defective purpose of which is to take on an unexpectedly high multiple of its size when unpacking or to bring software into an endless loop for unpacking. The packed contents can, for example, be graphic files with the same pattern over and over again or text files with repeated character strings. Such regularities can be compressed extremely strongly. You can also exploit errors in the extraction software to generate recursions .

Attack route

The archival bombs' main route of attack are e-mails to which they are attached. Such an e-mail is not very large and does not represent any danger that can be recognized at first glance.

Archive bombs are not primarily intended to be unpacked by the user, but are primarily aimed at anti-virus programs : These scan files - including those within archives - often as soon as they are received. To do this, the archives must be unpacked into a temporary storage area. There is a risk that the unzipped files will fill the main memory or the hard drive and bring the system to a complete standstill. The scanning process also requires a lot of computing time. With recursive archive bombs, however, the system remains i. d. Usually functional, only the virus scanner can never complete its task (namely scanning the archive). This type of archive bombs can be counteracted by the antivirus software only checking incoming archives to a certain depth. So the attack is an attempt at denial of service .

Querying the size information in the attributes of the archive has no additional use, as it can be manipulated using a hex editor, for example .

Examples

42.zip

A well-known archive bomb is 42.zip . Packed five times recursively, their size is only 42 kilobytes . When unpacking, however, the data volume grows by a hundred billion times to 4.5 petabytes:

structure	Total number of files ¹⁾	contains each	uncompressed total size (bytes)
42.zip ²⁾	1,048,576	16 folders	4,503,599,626,321,920 (4.5 PB)
→ lib0.zip… libf.zip ³⁾	1,048,576	16 folders	4,503,599,626,321,920 (4.5 PB)
→ book0.zip… bookf.zip	65,536	16 folders	281,474,976,645,120 (281 TB)
→ chapter0.zip… chapterf.zip	4,096	16 folders	17,592,186,040,320 (17 TB)
→ doc0.zip… docf.zip	256	16 folders	1,099,511,627,520 (1 TB)
→ page0.zip… pagef.zip	16	01 file	68,719,476,720 (68 GB)
→ 0.dll ⁴⁾		01	4,294,967,295 (4.3 GB)

Remarks:

¹⁾ Only the lowest hierarchy level - i.e. the files page0.zip… pagef.zip - contains files; those above only serve as multipliers for the number of files in the lowest hierarchy level. The information is not cumulative and is primarily intended for illustrative purposes - the total number of files only takes into account the total number of compressed duplicates of 0.dll contained and not the container files that are also embedded (although their share of the total is negligibly small).

²⁾ The 42.zip file only combines the 16 container files of the next lower hierarchy level into a single file, so the total size and number does not change in comparison to the next lower level.

³⁾ The above notation of the file names takes place according to the scheme prefix # - "#" is the placeholder for a single-digit hexadecimal number , so a total of 16 values (0, 1, 2, [...], 9, A, B, C, D, E, F). “Lib0.zip… libf.zip” stands for 16 numbered individual files.

⁴⁾ The 0.dll file has a 0xAA byte pattern throughout the entire 4,294,967,295 bytes and can be compressed very well without loss due to the associated redundancy .

Further

A method called "Zip Files All The Way Down" is similar to 42.zip - however, a zip , gzip or tar file is created that recursively contains itself.

supporting documents

↑ ^a ^b Glossary entry ( Memento of the original from October 31, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. on a website from Kaspersky Lab @1@ 2
↑ www.unforgettable.dk - details on the structure of 42.zip ( engl. )
↑ research.swtch.com: Zip Files All The Way Down , accessed February 21, 2011

[kasp-1] Glossary entry ( Memento of the original from October 31, 2012 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. on a website from Kaspersky Lab @1@ 2

[2] www.unforgettable.dk - details on the structure of 42.zip ( engl. )

[3] research.swtch.com: Zip Files All The Way Down , accessed February 21, 2011