Zipbomb detection in ZipGenius X (and a little surprise) [VIDEO]

Zipbombs are a some kind of a blast-from-the-past because they were largely used to attack someone’s computer with a single, friendly-looking, zip file that can decompress tons of data, up to some petabytes (where 1 PB is 1000 Terabytes). Unfortunately they’re coming back and they are more subtle than before.

What is a zipbomb?

A zipbomb is a speacially crafted zip archive that can make your computer to hang or crash because it will suck up all resources and free disk space upon extraction. There are two kinds of zipbombs:

  • Nested zipbombs: the zip archive presents a recursive structure with a given number of nested zip file, each one holding a clone of that recursive structure and repeating this for many depth levels; that final level of this unbelievably huge structure holds a text file whose original size could amount to a lot of gigabytes. A text file is used because the zip compression algorithm is specialized for compressing text by replacing repeating patterns with a symbol that acts as a placeholder (the algorithm, in fact, builds a dictionary of patterns and symbols during compression); a text file with several repating text patterns can be compressed to the 99% of its size and this feature is vital for making a zipbomb. Let’s say we have a zip archive that hold 16 zip archives, each one holding other 16 zip archives and so on for 10 levels, and the fina level holds a text file that decompresses to 4 gigabytes, we could easily calculate the final size of this zipbomb:

A whopping 4 zetabytes!

  • Flat zipbombs. These zipbombs doesn’t have a recursive structure but store many text files at the top level of the archive and they make use of the high compression ratio that zip algorithm can achieve on text files. If you meet a zip archives with lots of text files inside, all with same (large) uncompressed size, same CRC-32 and all with the uncommon compression ratio of 100%, don’t dare to decompress it because that’s clearly a zipbomb.
Why are they coming back?

Many threat actors are abusing many modern file types that truly are zip files: just think to modern Office file types (.docx, .xslx, .pptx,…) and don’t forget LibreOffice documents: they are all zip archives that the legitimate applications temporarily decompress to rebuild the document on user’s desktop. If a zipbomb is injected into one of these files, your computer may hang or crash and you may get more unexpected consequences.

We cover your back!

We have developed a zipbomb detection method for ZipGenius X and its command line module. Watch the following video in our YouTube channel to discover what is all about and wait for the end: we have a nice surprise for you all.

Donate with PayPal

Donate with Ethereum