PHC-Pink Culprit
Forum Guru
- Joined
- Jul 28, 2017
- Posts
- 3,568
- Reaction
- 3,348
- Points
- 1,247
ZIP-bomb detected on the internet
"Prevention is Better than Cure"
A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses.
Every day around the world, there are more and more cyber attacks, which daily hit hundreds of thousands of computers. A couple of months after the most global attack of Wanna Cry, another deadly virus was found, called 42.zip, which is actively progressing on the network, and has already hit tens of thousands of users. The so-called "Death Archive" falls on the user's computer under the guise of a conventional zip archive, which weighs less than 42 kilobytes, but once the user extracts it, the weight of 42 kilobytes turns to 4.5 petabytes.
Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it (e.g. by a virus scanner in order to scan for viruses) requires inordinate amounts of time, disk space or memory.
Most modern antivirus programs can detect whether a file is a zip bomb, to avoid unpacking it
In this archive there are 5 layers, in each of which there are 16 files on each level, and at the very last level the weight is estimated at 4.3 gigabytes. Some antiviruses have already learned to find this vulnerability, but it should be noted that very often some craftsmen encrypt the archive in order to hide data from the antivirus. As a result, an infected computer does not stand up to the load assigned to it and a huge amount of information
Details and use
A zip bomb is usually a small file for ease of transport and to avoid suspicion. However, when the file is unpacked, its contents are more than the system can handle. The technique was used on dialup bulletin board systems in the past.
Another example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3-gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data.[3] This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear.
There are also zip files that, when uncompressed, yield identical copies of themselves.
Sources:en.wikipedia.org/wiki/Zip_bomb
"Prevention is Better than Cure"
A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses.
Every day around the world, there are more and more cyber attacks, which daily hit hundreds of thousands of computers. A couple of months after the most global attack of Wanna Cry, another deadly virus was found, called 42.zip, which is actively progressing on the network, and has already hit tens of thousands of users. The so-called "Death Archive" falls on the user's computer under the guise of a conventional zip archive, which weighs less than 42 kilobytes, but once the user extracts it, the weight of 42 kilobytes turns to 4.5 petabytes.
Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it (e.g. by a virus scanner in order to scan for viruses) requires inordinate amounts of time, disk space or memory.
Most modern antivirus programs can detect whether a file is a zip bomb, to avoid unpacking it
In this archive there are 5 layers, in each of which there are 16 files on each level, and at the very last level the weight is estimated at 4.3 gigabytes. Some antiviruses have already learned to find this vulnerability, but it should be noted that very often some craftsmen encrypt the archive in order to hide data from the antivirus. As a result, an infected computer does not stand up to the load assigned to it and a huge amount of information
Details and use
A zip bomb is usually a small file for ease of transport and to avoid suspicion. However, when the file is unpacked, its contents are more than the system can handle. The technique was used on dialup bulletin board systems in the past.
Another example of a zip bomb is the file 42.zip, which is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3-gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data.[3] This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear.
There are also zip files that, when uncompressed, yield identical copies of themselves.
Sources:en.wikipedia.org/wiki/Zip_bomb
