Once done and dusted, new iterations of zip bombs are once again keeping security researchers on their toes.
Imagine a harmless, tiny, few kilobytes size zip file exploding into a system-crashing petabyte or exabyte load after you click to extract.
That would be a zip bomb, decompression bomb, or zip of death.
What is a Zip Bomb?
This is a zipped file with multiple nested layers or a single layer which, when extracted, takes up much more space than most computers can handle.
The idea behind a zip bomb is to overwhelm the CPU and the antivirus programs by unzipping or scanning the contents while malware makes its way into the system.
However, most antivirus software can peek into a zip file without extracting it. And when they detect multiple compression layers, they tag it as a zip bomb and refrain from scanning it.
A classic example is .42 zip file which is just 42 kb when compressed. This has six layers of compressed data, with the first five layers having 16 files each, and the last one is a single 4.3 GB file.
However, when decompressed completely, the total space it occupies is 4.5 PB.
1 PB = 1,000,000 GB = 1,000 TB.
For context, my laptop storage is just 512 GB or approximately 0.5 TB. And the biggest external hard drive I have is 1 TB. So technically, most personal computers can crash when trying to recursively open .42 zip. And the funny thing is, you can easily download this file from the internet (at your own risk).
However, on their own, mostly such bombs can’t do anything. Still, such zips can be accompanied by recursive unpacker scripts, which can unzip these zip of deaths to serve the malicious intent.
Types of Zip Bombs
Like all malware, zip bombs have iterations with various effects and modus operandi.
These have many layers packed inside a single zip file. What we just discussed, 42.zip is a recursive zip bomb.
A special subset of recursive zip bombs is zip quines. They take this to a notch higher with each unpack operation, copying the contents, making it a compressed file with countless nested layers. In theory, you can’t extract zip quines completely, no matter the available resources.
Still, recursive zip bombs are outdated, and modern antivirus programs are trained to identify their file structure and avoid processing it.
David Fifield, the programmer behind this non-recursive archive, calls it ‘a better zip bomb‘.
Unlike its older cousin, this unpacks everything at once without going through many rounds of decompression. This is achieved by a significantly higher compression ratio than what is normally seen with zip files.
In general, the best any zip file can do is compress a file 1032 times smaller than its standard size. This gets done by the compression algorithm DEFLATE. However, David Fifield invented a technique for the non-recursive zip bombs to explode over 28 million times (1 kb➡26.7 GB) in a single round of unfolding.
Consequently, it’s tough to detect and poses more dangers.
How Do Zip Bombs Work?
As already stated, zip bombs are safe if not unzipped. Therefore, there are only dangerous if you have some program that tries to auto-decompress every zip you download.
Besides, an outdated antivirus can fail to see the file structure and be spent scanning a recently downloaded zip bomb. In such a case, the subject system can crash.
Moreover, a recursive zip bomb can hide malware deep inside into a layer up to which an antivirus might not scan.
But these will be recursive zip bombs.
Non-recursive ones will directly cripple the system resources in a single round of extraction without being detected by most present antivirus software.
Staying Safe From Zip Bombs
The best way to stay safe is to maintain good internet hygiene. For starters, never download anything from untrusted sites, especially if the browser is screaming about the tragedy ahead.
The same goes for spam mail. Don’t open the attachments if you aren’t sure about their source. And if your mail provider, like Gmail, is warning you about it, try confirming the origin before interacting with it.
For instance, enter the attachment file name in a search engine like Google and see the response. Most zip bombs are documented, and you’re likely to get search results indicating the exact same file name.
Still, here is a non-exhaustive list of steps to push you toward a safer internet.
In these times, when malware hides in plain sight, a good antivirus is half the work done. There are free ones, but free products often try to make another product out of their user.
Besides, you use the antivirus every moment your computer is turned on, even without knowing. Therefore, it’s better to invest a little to get a premium antivirus. These paid products offer advanced firewalls, system optimization tools, and a few tools like a VPN, password manager, etc., for the ultimate cybersecurity.
Antivirus can save you from dangerous computer programs, but it’s mostly helpless against social engineering.
Here, the victim is tricked into downloading and unzipping a zip bomb, citing zip files aren’t viruses. And a few fall into such traps and end up installing malware on their system.
Subsequently, the victim may face spyware, ransomware, phishing, etc., where the cybercriminal tries to loot out personal information or deal financial damage.
Here, the only savior is education. Everyone must see and learn from all the scams and share them with their peers.
It’s a Wrap!
Zip bombs are files that can take up your entire hard disk and more and be the ultimate resource hog, leading to a system crash.
And since they aren’t exactly malware, identifying (non-recursive) zip bombs isn’t always possible. Until then, the only way to protect is through prevention.
One can achieve this by being internet aware, using a premium antivirus, and avoiding falling into any social engineering trap.
PS: We have this wholesome Geekflare Security section where we regularly add interesting reads for personal and business security. I suggest you bookmark it and try reading whatever seems relevant to you once in a while.
Hitesh works as a senior writer at Geekflare and dabbles in cybersecurity, productivity, games, and marketing. Besides, he holds master’s in transportation engineering. His free time is mostly about playing with his son, reading, or lying… read more