42 Kilobytes Unzipped Make 4.5 Petabytes
In 2001 reports about Zip Bombs or Zip of Death attacks made the round on the Internet and I thought it would be nice to write about one shiny harmless example of that technique. On first glance the file 42.zip is a normal compressed file with the size of 42 Kilobytes. Many users who run a virus scanner will probably run into troubles downloading that file to their computer.
It still looks like a normal 42 Kilobyte archive after the download but the surprise begins when you try to unpack that file. What they did was basically pack a 4.3 Gigabyte file consisting only of zeros. That packed file was replicated 16 times and packed again, and again, and again, and again. Or, to use their own words:
The file contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped files, which again contains 16 zipped, which again contains 16 zipped files, which contain 1 file, with the size of 4.3GB.
You could basically unpack the 42 Kilobyte file into 4.5 Petabyte of uncompressed data if your hard drive storage space would be enough to do that. It is usually not enough to do just that, so you either need to browse the file in your archiver of choice, or believe what the creator of the file has posted about the file on the website.
The zip file is password protected, probably to avoid that it gets flagged during download by an antivirus program.
Update: Most modern antivirus programs should detect the file these days and block it from being extracted on the system. If you want to test your antivirus solution download the file to your system and try to extract it. Watch what happens and let us know how it turns out for you.
Advertisement
BitDefender 2015 blocked MY access to 42.zip, yet started to extract it itself, claiming to disinfect it. Even several restarts after deleting the file did not stop it, I’m now battling constant low RAM errors ;.;
How about this one:
http://swtch.com/r.zip
It’s a zip-file that contains itself, so its uncompressed size is “infinite.” It’s a zip-quine!
Microsoft System Center Endpoint Protection went full red when I tried extracting this. I pasted in all the information it told me about it.
Name: DOS:Win32/ZipBomb.A
Alert Level: Severe
Status: Active
Category: Trojan Denial of Service
Description: This program can be used to perform a denial of service attack.
Recommended action: Remove this software immediately.
Items: (Insert Very Long LIst of Files here)
Could someone explain to me why Windows starts choking when I extract one of the archives? Disk space isn’t an issue. WinRAR finishes without any issue. Some Windows service start using an entire core of CPU and eat all available memory.
So if I extract this on a USB, w/o a password, and plug it into a workstation, I would crash it?
Recursion gone wrong?!
Bitdefender did not catch it either… It even went as far as stating that it cannot be scanned because it is password protected. Good thing they have a file shredder.
If you know the algorithm well enough that you can predict how it will zip a given file of XYZ sequence of bytes into a file of ABC bytes, then you should be able to reverse the process and hand code a zip file of ABC bytes that will hypothetically unzip to whatever XYZ sequence you want.
I love this video describing a petabyte in real terms.
http://archive.org/details/10000000000000000BytesArchived?start=1735
um, so when unpacking the first level of the zip, you’re still in the kilobytes, right? you just got 16 tiny zips instead of one.
also martin, now you know what reddit frontpage feels like! ;)
Ah, that’s the reason why everything is slower than usual :)
Reddit…
And why suddenly people are commenting on a 5+ year old entry.
Microsoft Security Essentials doesn’t see anything wrong with this file, either.
linux mint no anti virus
Downloaded
opened fine can see directory tree
extract asked for pass then just made the parent directory \42
checked the process – ark using 0% resources…
extract here does nothing not even ask for password.
“It is usually not enough to do just that”
Correction: It is NEVER enough to do that. I cannot find any hard drives bigger than 5TB (Terabyte). 1024 Terabytes equal 1 Petabyte. 1024 Petabytes is 1 Exabyte. If there’s 4 Petabytes, that would require a shitton of more space than the current maximum. Sure big ass companies have way bigger custom hard drives, but still they are nowhere near the size of 4 PB.
You can put like 1000 drives to raid? Pls dont try to be smart when u aren’t…
1000 * 5TB is still only going to be just under 5PB..
ESET didn’t catch it either :/
nortAN FAILS BREEWWWWWW
i want one aswell share ? nerd
When I was testing them a few months ago, neither did Norton and CA
“I just tried to download it. McAfee did not catch it.”
Not a surprise there — I’m sure most of their budget goes to advertising and scare tactics, rather than actual development.
I just tried to download it. McAfee did not catch it. Avira did.
@rhmelis: That’s actually pretty awesome. I wasn’t sure if a lot of major Anti-Virus programs actually did catch them or not.
When clicking on the 42.zip link, Avast warns me that it is an Multi:ArchiveBomb :)
A simple concept, but interesting.
Instructions for Unzipper
1. Write a 1.
2. Write a billion billion billion 0s
3. Write another 1.
4. Rinse and repeat
Pure genius.
A lot of people will actually use hex editors, to edit the file AFTER it has been zipped up, this helps keep the filesize small when you’re creating it.
http://en.wikipedia.org/wiki/Run-length_encoding
That should be of an interested further reading for people who would like to.
Never heard of such things before… Thanks for the info…
This is Madness!!!
TTHHISS is… Size Attack. :p
eh … so … Gigabytes or Petabytes ?!?
I would love to see home PC capable of storing 4 Petabytes (or at least one).
The latest news is always in gHacks, really! The best of bleeding-edge technology.
At least I’d hope it would lock up an AV scan. Anything that crowbars my scanner is not something even I’d be dumb enough open.
Decompression bombs have been around for a while. A lot of anti-virus programs wouldn’t recognize what it was, and if you tried to scan it, they would actually freeze up.
It’s even more fun when that is not joke but seriously unoptimized program. I had encountered app once that had some extra data packed in 10Kb zips… Which unpacked to 100+Mb each.
This is an very old hack, it has been used in the past to take down old Microsoft Exchange 5.5 servers.
O RLY