A zip bomb (aka decompression bomb, compression bomb, archive bomb, or zip of death) is a malicious archive file that can disable a program or system when unpacked, because processing it requires too much memory or puts an excessive load on the CPU. Usually such an effect is the result of the large difference in size between the compressed and decompressed data.
Zip bomb types
There are two main types of zip bombs:
- Recursive
- Non-recursive
Recursive bombs contain multiple nested archives that are unpacked one after another. An attack using such a file succeeds only if the attacked program supports recursive unpacking. A classic example of a recursive bomb is 42.zip, a file consisting of six layers of nested archives. It is just 42 kilobytes compressed, but after unpacking all the layers its size increases to 4.5 petabytes (4.5 million gigabytes). Recursive zip bombs also include zip quines — archives containing a copy of themselves, resulting in endless unpacking.
Non-recursive bombs are characterized by a very high data compression ratio. For a regular archive, this value does not exceed 1032 to one. But in the case of a zip bomb, it can reach millions to one. This is achieved through overlapping files, a technique proposed by U.S. programmer David Fifield. Instead of compressing many identical files individually, the zip bomber uses one “kernel” (compressed contents of a file) for all of them. During unpacking, as many files are reconstructed from it as were packed into the archive. The more there are, the higher the compression ratio. As a result, unpacking a single layer has the same effect as unpacking numerous layers of a recursive bomb.
Zip bomb use
Zip bombs are often used for malicious purposes. For example, attackers distribute them to knock out the antivirus and download malware onto a computer unhindered.
But zip bombs can be used against intruders too. For example, in 2017, Austrian programmer Christian Haschek suggested that website developers should use zip bombs to protect against hackers. He created a PHP script to detect suspicious requests and respond with a GZip bomb. The browser or vulnerability scanner that sent the request to the server attempts to unpack the archive and either hangs or returns an error.
Zip bomb danger
Zip bombs presently pose little or no threat to users for the following reasons:
- Many programs do not support recursive unpacking, and one unpacked layer does not contain all that much data. This makes recursive zip bombs pointless.
- Most modern security solutions are able to spot and block all types of zip bombs and warn the user of the danger.