42 Kilobytes Unzipped Make 4.5 Petabytes

Martin Brinkmann
Jul 27, 2008
Updated • Nov 28, 2012
Security
|
39

In 2001 reports about Zip Bombs or Zip of Death attacks made the round on the Internet and I thought it would be nice to write about one shiny harmless example of that technique. On first glance the file 42.zip is a normal compressed file with the size of 42 Kilobytes. Many users who run a virus scanner will probably run into troubles downloading that file to their computer.

It still looks like a normal 42 Kilobyte archive after the download but the surprise begins when you try to unpack that file. What they did was basically pack a 4.3 Gigabyte file consisting only of zeros. That packed file was replicated 16 times and packed again, and again, and again, and again. Or, to use their own words:

The file contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped, which again contains 16 zipped files, which contain 1 file, with the size of 4.3GB.

You could basically unpack the 42 Kilobyte file into 4.5 Petabyte of uncompressed data if your hard drive storage space would be enough to do that. It is usually not enough to do just that, so you either need to browse the file in your archiver of choice, or believe what the creator of the file has posted about the file on the website.

The zip file is password protected, probably to avoid that it gets flagged during download by an antivirus program.

Update: Most modern antivirus programs should detect the file these days and block it from being extracted on the system. If you want to test your antivirus solution download the file to your system and try to extract it. Watch what happens and let us know how it turns out for you.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Randy said on January 7, 2015 at 11:56 pm
    Reply

    BitDefender 2015 blocked MY access to 42.zip, yet started to extract it itself, claiming to disinfect it. Even several restarts after deleting the file did not stop it, I’m now battling constant low RAM errors ;.;

  2. BlueRaja said on January 31, 2014 at 11:21 pm
    Reply

    How about this one:
    http://swtch.com/r.zip
    It’s a zip-file that contains itself, so its uncompressed size is “infinite.” It’s a zip-quine!

  3. Alex said on January 28, 2014 at 1:18 am
    Reply

    Microsoft System Center Endpoint Protection went full red when I tried extracting this. I pasted in all the information it told me about it.

    Name: DOS:Win32/ZipBomb.A
    Alert Level: Severe
    Status: Active
    Category: Trojan Denial of Service
    Description: This program can be used to perform a denial of service attack.
    Recommended action: Remove this software immediately.
    Items: (Insert Very Long LIst of Files here)

  4. K said on January 27, 2014 at 11:10 pm
    Reply

    Could someone explain to me why Windows starts choking when I extract one of the archives? Disk space isn’t an issue. WinRAR finishes without any issue. Some Windows service start using an entire core of CPU and eat all available memory.

    So if I extract this on a USB, w/o a password, and plug it into a workstation, I would crash it?

    Recursion gone wrong?!

  5. Aaron said on January 27, 2014 at 9:44 pm
    Reply

    Bitdefender did not catch it either… It even went as far as stating that it cannot be scanned because it is password protected. Good thing they have a file shredder.

  6. matthias said on January 27, 2014 at 9:38 pm
    Reply

    If you know the algorithm well enough that you can predict how it will zip a given file of XYZ sequence of bytes into a file of ABC bytes, then you should be able to reverse the process and hand code a zip file of ABC bytes that will hypothetically unzip to whatever XYZ sequence you want.

  7. scodger said on January 27, 2014 at 8:59 pm
    Reply

    I love this video describing a petabyte in real terms.
    http://archive.org/details/10000000000000000BytesArchived?start=1735

  8. fokka said on January 27, 2014 at 8:03 pm
    Reply

    um, so when unpacking the first level of the zip, you’re still in the kilobytes, right? you just got 16 tiny zips instead of one.

    also martin, now you know what reddit frontpage feels like! ;)

    1. Martin Brinkmann said on January 27, 2014 at 8:23 pm
      Reply

      Ah, that’s the reason why everything is slower than usual :)

      1. Anonymous said on January 28, 2014 at 2:12 am
        Reply

        Reddit…

      2. Caspy7 said on January 27, 2014 at 10:19 pm
        Reply

        And why suddenly people are commenting on a 5+ year old entry.

  9. Trixy said on January 27, 2014 at 6:34 pm
    Reply

    Microsoft Security Essentials doesn’t see anything wrong with this file, either.

  10. quatzar said on January 27, 2014 at 6:08 pm
    Reply

    linux mint no anti virus
    Downloaded
    opened fine can see directory tree
    extract asked for pass then just made the parent directory \42
    checked the process – ark using 0% resources…

    extract here does nothing not even ask for password.

  11. Weegee said on July 14, 2013 at 12:27 am
    Reply

    “It is usually not enough to do just that”
    Correction: It is NEVER enough to do that. I cannot find any hard drives bigger than 5TB (Terabyte). 1024 Terabytes equal 1 Petabyte. 1024 Petabytes is 1 Exabyte. If there’s 4 Petabytes, that would require a shitton of more space than the current maximum. Sure big ass companies have way bigger custom hard drives, but still they are nowhere near the size of 4 PB.

    1. uasfaouigaioasoid said on August 21, 2013 at 4:55 pm
      Reply

      You can put like 1000 drives to raid? Pls dont try to be smart when u aren’t…

      1. Brian said on January 29, 2014 at 2:16 am
        Reply

        1000 * 5TB is still only going to be just under 5PB..

  12. Snapp said on December 7, 2010 at 11:02 pm
    Reply

    ESET didn’t catch it either :/

  13. 0somo1 said on May 9, 2010 at 9:12 am
    Reply

    nortAN FAILS BREEWWWWWW

  14. 0somo1 said on May 9, 2010 at 9:12 am
    Reply

    i want one aswell share ? nerd

  15. Angelo R. said on July 30, 2008 at 1:01 am
    Reply

    When I was testing them a few months ago, neither did Norton and CA

  16. b said on July 29, 2008 at 7:58 pm
    Reply

    “I just tried to download it. McAfee did not catch it.”

    Not a surprise there — I’m sure most of their budget goes to advertising and scare tactics, rather than actual development.

  17. Dante said on July 28, 2008 at 5:21 pm
    Reply

    I just tried to download it. McAfee did not catch it. Avira did.

  18. Angelo R. said on July 28, 2008 at 4:41 pm
    Reply

    @rhmelis: That’s actually pretty awesome. I wasn’t sure if a lot of major Anti-Virus programs actually did catch them or not.

  19. rhmelis said on July 28, 2008 at 1:50 pm
    Reply

    When clicking on the 42.zip link, Avast warns me that it is an Multi:ArchiveBomb :)

  20. TechBender said on July 28, 2008 at 10:28 am
    Reply

    A simple concept, but interesting.

    Instructions for Unzipper
    1. Write a 1.
    2. Write a billion billion billion 0s
    3. Write another 1.
    4. Rinse and repeat

    Pure genius.

  21. Angelo R. said on July 28, 2008 at 5:43 am
    Reply

    A lot of people will actually use hex editors, to edit the file AFTER it has been zipped up, this helps keep the filesize small when you’re creating it.

    http://en.wikipedia.org/wiki/Run-length_encoding

    That should be of an interested further reading for people who would like to.

  22. Pavan Kumar said on July 28, 2008 at 3:43 am
    Reply

    Never heard of such things before… Thanks for the info…

  23. Cyberbite said on July 28, 2008 at 1:49 am
    Reply

    This is Madness!!!

    TTHHISS is… Size Attack. :p

  24. Denny said on July 27, 2008 at 11:37 pm
    Reply

    eh … so … Gigabytes or Petabytes ?!?

    I would love to see home PC capable of storing 4 Petabytes (or at least one).

  25. Pete said on July 27, 2008 at 7:12 pm
    Reply

    The latest news is always in gHacks, really! The best of bleeding-edge technology.

  26. Votre said on July 27, 2008 at 7:09 pm
    Reply

    At least I’d hope it would lock up an AV scan. Anything that crowbars my scanner is not something even I’d be dumb enough open.

  27. Angelo R. said on July 27, 2008 at 5:42 pm
    Reply

    Decompression bombs have been around for a while. A lot of anti-virus programs wouldn’t recognize what it was, and if you tried to scan it, they would actually freeze up.

  28. Rarst said on July 27, 2008 at 5:21 pm
    Reply

    It’s even more fun when that is not joke but seriously unoptimized program. I had encountered app once that had some extra data packed in 10Kb zips… Which unpacked to 100+Mb each.

  29. Mike said on July 27, 2008 at 4:44 pm
    Reply

    This is an very old hack, it has been used in the past to take down old Microsoft Exchange 5.5 servers.

    1. Anonymous said on September 11, 2014 at 1:10 pm
      Reply

      O RLY

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.