The compressed .zip file format was invented three decades ago and it is now extremely popular to help us send folders and files more easily as well as save storage data. But besides the positive side, .zip can also be abused to create malicious things like Zip bomb – a super-compressed bomb when "exploding" will release a huge amount of data. Up to several Petabytes.
David Fitfield – a programmer and a software engineer has just created such a bomb. In fact, this is a look-alike malware variant that looks like a normal Zip file with only a few KB capacity but when someone accidentally decompresses it will release lots of data PB (1 Petabyte = 1000 Terabytes).
Such file types are not uncommon but the technique used by Fitfield to create Zip bombs is very new. It is not a technique Zip stack Zip Zip – I used to play this game to see if the file is really small when compressed by compressing a folder containing data and then compressing the Zip file just got there, so many times. Instead, Fitfield found a way to "stack" the files inside a Zip file, thereby achieving extremely high compression rates compared to conventional compressed files. The best result Fitfield has is compressing 4.5 PB of data into a file with a capacity of only 46 MB.
How to create a Zip bomb file?
The story of the .zip format began in 1988 when Phil Katz – a programmer and a BBS (Bulletin Board System) user created a software that compresses files compatible with ARC format – a file format The compression was developed by the System Improvement Association (SEA), in which he developed a new algorithm for better file compression than ARC's original algorithm. The problem is that his algorithm is incompatible with the existing formats but is released in open source form, which makes the product that Phil created soon become an industry standard. That format is .zip.
Phil Katz (Phillip Walter Katz) died at the age of 37 after a long period of alcoholism but what he left was .zip as well as its variants that proved to be a very good format on the software platform. BBS server as well as FPT servers. Thanks to being released as shareware, people use .zip more and this format is eventually integrated into Windows and Macintosh. However, Zip's file compression algorithm makes hackers exploit it in many ways and one of them helps create Zip bombs.
Accordingly the data compression system will retrieve the repeating information in a compressed file and break this repetition in the minimum possible way. According to a simple explanation on the makeuseof page about the repetition of the data: f f f f f f u tumors and tumors will be compressed into f7u12. This is also the reason why an Mp3 file is already pre-compressed, and when you compress it, it doesn't reduce the amount of space you use when compressing text files.
So logically, if a file consists of all zeroes, one thousand zeros, for example, this means the compressed file will be very small while the extracted file will have a huge capacity based on the above principle. The compressed file itself is of no value when decompressed, except as a test file for antivirus software – they can scan files inside a zip file to check for malicious code. or not.
At a presentation at the 2015 USENIX Security Symposium security conference, Zip bomb is believed to have appeared since 1996 when such a file was uploaded to Fidonet with the aim of tricking administrators into opening it but not lose. As of 2001, Zip bomb has become one of the top security concerns when MIS Corp Defense warns users of an email attachment that is only 42 KB in size but when Decompression can be up to several PB.
It is unclear who the author of 42.zip but since its appearance, it has become a "legend" of Zip bomb when the compression ratio reaches 106 billion: 1. In an email interviewing Fitfield, he said Although 42.zip has existed for the past 15 years and has received the attention of security circles, other similar tests have attracted him in the technical aspect.
Zip bomb is an effective attack tool because it drains system resources here: CPU, RAM and hard drive. However, the compressed files also have a natural limitation that most Zip decompression programs only extract at the maximum rate of 1032: 1. This means Zip bomb can only be created under recursive overlapping rules. An example is a 42.zip file, when the internal data is completely compressed, it is only slightly larger than 42 KB but inside contains a lot of complicated Zip files, namely 16 Zip files and each Zip file. The file contains 16 other Zip files that are stacking but the last file in a Zip file is a 4.3 GB file. If fully decompressed, the capacity will reach 4.5 PB.
In addition, there are other compressors, Zip quines or infinite recursion. Basically when extracting, the decompression will be done endless and you will never get the final file. Fitfield said this method gave him the idea to create Zip bomb files.
However, what made Fitfield's Zip bomb different was how he surpassed the 1032: 1 compression limit. He used a trick to stack files on each other during compression from there to create a file with just one layer, not recursive like 42.zip but very small in size compared to the file it unzipped. Fitfield said his results did not reach a high compression ratio like 42.zip because a file of a similar capacity of 42 KB would extract only 5.5 GB instead of 4.5 PB but the compression ratio He achieved higher with large files. Such as a 281 TB file compressed to only about 10 MB.
In addition, if Fitfield's Zip64 extension is used, Fitfield can achieve a rate of compressing a 45 MB file into 42 KB as recursive 42.zip with a compression ratio of 98 million: 1. Fitfield said one more thing that helped him achieve this technique was to exploit the CRC error correction mechanism built into many computer standards such as Zip and PNG.
A better zip bomb
Is Zip bomb dangerous?
It is fair to say that Zip bomb is nowhere to be found and if it does, modern antivirus software will be able to detect it. In addition, Zip bomb detection is not difficult because the Zip bomb's basic rule is the file stack, Fitfield said.
However, these detection mechanisms have not been integrated into the decompression tools, so the Zip bombs still have a chance to be tested. Fitfield has tested and discovered many software such as McAfee Antivirus or LibreOffice hanging when extracting and even not all antivirus software can correctly detect Zip bomb. It is interesting to try to download Zip bomb 42.zip but F-Secure on my computer does not warn. Tested on VirusTotal site, there are only a few tools like Kaspersky, ESET NOD32, ZoneAlarm, AegisLab, DrWeb and some Chinese software discovered, the rest have Undetected status.
Fitfield will present his findings at the USENIX Workshop on Offensive Technologies (WOOT) conference next month. Although Zip bomb is not new, but with Fitfield's approach, his research will benefit from high cognitive education.
He said: "I hope that one of the benefits of this study is to make developers aware of the dangers of handling complex compression formats like Zip. It will also help some. objects like source code testers, customers and users know whether a compressed file is being processed normally. "