The engineer David Fifield has created a new type of malware called “bomb Zip”. The concept is that a relatively lightweight file decompresses into a particularly large eruption of data that paralyzes the system and saturates the storage of the computer. The hacker has managed to compress 4500 petabytes in a small file of 49 MB … to highlight the flaws of the compression algorithm.
An old type of malware remade about him: the Zip Bombs or compression bombs . This is to ensure that a compressed file decompresses into an avalanche of data, paralyzing the processor, RAM and saturating the hard disk with arbitrary data. The Zip Bombs have been around at least as long as the data compression algorithms. One of the best-known examples is undoubtedly 42.zip a 42 kilobyte ZIP file, which contains a 4.3 gigabyte file repeated at 16 5 recursions (per group of 16 on 5 depth levels), a total of 4.5 petabytes after decompression.
Malware: researcher brings compression bombs up to date
So far, it was actually recursively compressed files. In other words to really cause paralysis of the system, it was necessary for the user to choose a decompression also recursive in his favorite program. The trick of researcher David Fifield is to have managed to create such a bomb without any recursion. This means that the decompression is done in one operation – which is potentially more efficient to paralyze the system on which the file is located.
Beside this XXL bomb, which achieves a record compression ratio of 97 million without recursion, the researcher also offers smaller files for the curious who would like to “see what it does” – in particular a file of just 42 ko that turns to 5.5 GB of data. So all that is good … but what’s the point? First of all, there is the intellectual challenge: if you are interested, David Fifield’s blog post is full of details, curves, calculations that help to better understand how compression algorithms work.
Incidentally, David Fifield uncovers a flaw in the Zip compression algorithm. Moreover, in his article, the author explains that patches begin to be proposed under Linux to detect these malicious techniques (which can potentially paralyze entire datacenters) before attempting to decompress them. Moreover some antiviruses already detect these files – while others make crash the system when they try to analyze them (especially the author quotes AhnLab-V3, ClamAV, DrWeb, Endgame, F-Secure, GData, K7AntiVirus, K7GW , MaxSecure, McAfee, McAfee-GW-Edition, Panda, Qihoo-360, Sophos ML, VBA32 – but patches should be available soon).