From random discussions I’ve had with people over the last few months, it seems to me that not too many people really know about a particularly nasty and cunning form of computer attack: the decompression bomb.
First, think about compressing data. Most of us have used an application like WinZip or some similar tool to make our files smaller, albeit less accessible temporarily. These programs take advantage of how signal to noise ratios work in most representations of data; that is, the way we try to represent information is almost always ineffecient. There are usually techniques available for removing the parts that aren’t so important, and letting important (or common) information take less space.
For example, the algorithm behind the ZIP programs is largely based on LZW compression: a technique that collapses common substrings down into single codes. Obviously, I’ve completely glossed over how it works, but if you want to know the information is out there (any computing scientist worth their salt should have at least an idea of how this sort of thing works).
Using a randomly selected document of, say, English text, you would expect a maximum compression ratio of 10:1. That is, given a 100k file, you would expect a zip file of around 10k. That’s pretty good compression! The language being used and the specific text will cause the compression ratio to vary greatly, but the principles remain the same.
The thing is, if you carefully construct an example document, you can get a compression ratio much higher. How much higher? MUCH, MUCH higher. For example, if you created a PNG image containing just one colour repeated over and over then you could easily get a 1000:1 ratio. For a text document containing 1 character repeated over and over, it’s possible to shrink 100Gb to about 6k. Think about that, it is a huge difference: 1.7e7:1.
That’s all well and good as an interesting experiment, but what does it mean for an average user? Imagine I had constructed one of those zip files that had shrunk 100Gb down to 6k and I sent you that file. If you trusted me, you might try to open it. Therein lies the problem: while you can readily accept the zipped file, the chances that you have the 100Gb of free memory (including virtual memory) to accomodate the decompressed file are bloody slim. When you try to open one of these files, your computer will quickly become overwhelmed and stop responding; all of the free memory having been used up, it can’t do anything else. You effectively suffer a denial of service attack.
That is what we call a decompression bomb.
There is another factor that could cause problems for people who are careful when opening files: well-meaning programs can open them anyway. If the file arrives on your system (either by explicit downloading or by, say, a mail program fetching it), it’s likely that anti-virus software installed on your system would then want to check if the file contained any viruses. To do this, it pretty much has to decompress the file in memory, leading to the same problem. Oh dear.
Most modern anti-virus software has some defences against decompression bombs, but they can still cause significant system lock-ups while figuring it out. Perhaps more evil is compressed web content, whether images or GZip encoded HTML. No modern browser has a strong defence against decompression bombs. Relatively small files (100Mb decompressed) are usually handled quite well, in that the browser doesn’t crash completely, but go much bigger and most systems will run into trouble. Because browsers, sensibly, accept GZip encoding by default, any URL can hide a problem.
Thankfully, problems don’t arise much in practice because there is little to be gained from this activity: if you take out someone’s system, you’ve annoyed them but you can rarely turn this to your advantage i.e. you can’t elicitly install spyware.
If you want to see some more figures or examples (at your own risk), then the AERAsec decompression bomb page is a great start. It’s where I got a few of my figures from (so thanks for that!), and has a link to some real examples you can try.
Now, Decompression Bombs Part 2 outlines some real-life examples and answers a few questions!
-
Hi!
How concerned should I be about avast giving file shared music files and film files the message “Unable to scan: This file is a decompression bomb.”? I can understand that zip and rar files may be decompression bombs but not music files and film files. These are not compressed in the same way and should not be dangerous.
If the answer is “They may be dangerous” I would like to know how dangerous, and if it is worth taking the risk. -
Ya, i have Avast, and i did a scan and found 2 Compression Bombs. BUT, like someone said before me, DO NOT DELETE them without looking to see what they are!
The two “bombs” that were found on my comp were actually just large files required for Crysis. so be sure to check every “bomb” before you delete it.
-
Hi!
GREAT article AND comments/suggestions! I switched to AV [again] after my AdAware stopped being able to update. . . Once I installed SP3 I’ve been inundated with trojans, viruses and everything else — in spite of my trusty ZoneAlarm firewal/virus protection subscription. . . AV has been helpful w/getting things cleaned up and blocking new attacks yet i’d prefer to go back to AdAware for it’s simplicity. Any thoughts?
Thnx much,
YE is Here! -
Hi there, Just wanted to point out to a number of people who are worried about decompression bombs being reported by Avast.
Check that they aren’t actually AVI or other video files as Avast will report these as decompression bombs as they technically are, but you only decompress them on the fly when watching them, and generally the size is handled by your codecs
-
This is one of the worst examples of scare tactics I’ve ever seen. There’s no such thing as a “decompression bomb”.
If you compress something down very small, good for you. When you try to open it, it doesn’t somehow automagically decompress and make everything explode.
Compression utilities use a memory frame for converting compressed data to decompressed data, and vice-versa. This is directly based on the ‘dictionary sized’ used for compression. It’s much larger for compression than decompression.
If someone sends you a 100GB file, you don’t need 100GB of memory to decompress it. That’s just inane and ‘scary’ to suggest. If someone uses a 16MB dictionary size (very common), you only need some 20MB free to successfully decompress.
Depending on compression methods, the maximum dictionary size might be 1MB, or 1GB, but I’ve yet to see anything with a dictionary size of more than 1GB, and never seen anyone use that size. Using presets will typically allow 64MB or less.
The average compression program allows you to easily see the contents, and size (both before and after) by default, before any real decompression is done.
You could theorhetically take up someone’s disk space with such an “attack”, but it’s effortlessly remedied by DELETING the file. This can’t be embedded into anything else, either.
Even comprehensive anti-virus will only scan the first N megabytes of a file by default, or skip things it estimates will take too long. It won’t load the entire file into memory at once then, either.
In such a technical era, it’s ridiculous to come up with this stuff. It was potentially a problem -way- before there was decent software to handle things, but it’d be an extremely unlikely scenario to affect any consumer-level computers built since 1999, let alone corporate ones, or servers.
I don’t think that corporate mail server with 64GB of memory is exactly going to be spending an hour trying to decompress a random ultra-compressed file on its own. Even if it were…that’s not the only process running. It doesn’t somehow “lock up” , which was a problem in the DOS and Windows 3.11 days.
Worst case scenario for a reasonably configured server, that server will churn away…but keeps servicing other requests, marginally slower. It won’t run out of memory. Disk space won’t be exhausted, because users have enforced quotas. Once it expands large enough, it’ll stop expanding, it’ll often delete since the process isn’t complete.
It just isn’t a serious issue, either consumer or corporate, if things are configured in a reasonable way. These days, that’s usually done by default, so to be vulnerable…it would take a great deal of deliberate misconfiguration, and user/sysadmin stupidity. In which case…it’s still not an issue, let alone a serious and crafty attack.
-
Zephiris: you’re right and wrong. Yes, most programs will deal with this in a reasonable way (spooling to disk is a great way of dealing with decompression bombs — as mentioned in the part 2 comments), but there are plenty of programs that still deal with this poorly. For an example, have a look at what something like Firefox does when confronted with an image-based decompression bomb: you’ll get a frozen browser and probably a maxed out CPU. Sure you can just kill it, but it’s pretty annoying and means a potential loss of data.
And yes, it has affected corporate servers in the last few years. I’m not saying that’s anything but a mismanaged server, but sadly people don’t see all the angles all of the time.
Now, this is nowhere near as big a deal as it was when I first wrote the piece (where just about every compression tool tested would fail under some form of decompression tool), but it’s still quite a clever side-channel to use as an annoyance and to say it’s not a problem at all is misleading at best.
-
Well, I have run PCs for maybe 9 yrs at home and been a user another 8 or so in an industrial setting. I have just today found my first “D-bomb”. Actually Spybot – Search & Destroy found it. I have faithfully run Avast, Spybot, Ad-Aware, Defender each week-end, and this is a first for me. I am not certain whether to try to delete it or just wait to see if some other scanner does the task for me. However, I will say that this entire discussion has been very educational to me. Thanks to all who contributed. If any other suggestions on what to do on this issue, let me know. Bill.
-
Thanks for demystifying the ominous-sounding DECOMPRESSION BOMB. My Avast virus scan came up with one of them for the first time today, and I thought at first I was UNDER ATTACK, but now I know it’s all a NON-ISSUE. The “bomb” in question turned out to be a porn video which I simply deleted…CASE CLOSED. This discussion has been VERY HELPFUL!
-
Thankyou for this discussion. Really helpful. Avast has just found a decompresssion bomb inside an old zip file [from end of 2007] of emails and addresses from eudora. The only file it objects to is an old log file. Can I delete the log file, without decompressing, while retaining the rest of the zipped files inside this zip file I use Winzip. I use windows xp but am not very computer literate
-
Almost every post that I’ve read on this subject seems to mention running Avast and seeing these show up. Why does it always seem to come from Avast?
-
Good question, Chris. I don’t know for sure but perhaps Avast is either particularly good at or overly aggressive in trying to find decompression bombs. You decide which.
-
I think Chris and Gary Fleming are onto something. I got the warning using Avast, also. I’ve pretty much determined that it’s a problem with Avast. I downloaded a warez version of Maple 13 by Maplesoft. I got the Avast warning of a bomb in a “.jar” file. So I just coughed up 100$ to purchase the student version of Maple 13 and scanned the authentic version from CD, and it still came up with the bomb warning on a “.jar” file. So I got the bomb warning on both the warez and the trusted vendor version of a very popular program.
-
Hello,
I performed a full scan on Drive “C” on my computer. After the scan, I had the following results: Five (5) of the files are decompression bomb. I do not understand this term? What should I do to these files? Do they have any damaging effect on the rest of the files or the drive “C” itself?
-
Tonight, 4 days after Dell replacing my mother board after a crash, Avast!4 found 4 decompression bombs in my Recycle Bin. They had nothing in common which was weird. (…localization.xml, …patch.bat, …InetLoad.dll,
…wikipedia.bmp) I freaked, then tried all the Avast! anti-virus options to get them out without luck. Then, I emptied the bin. (Genius! LOL) Now, I’ve read all the chatter and realize there is more than one way to skin a skunk! -
I to got a d bomb and Avast found it but AVG missed it . avg said it couldent scan some files which didnt realy set alarm bells goin but avast said bomb i nearly dropped one but my 1 was a game install file i had just downloaded and i thought i would scan that specific file before instaling and db so i hope i did the wright thing in deleting it seems avast is a regular theme here. And something else i got a blue screen od yesterday and it said i should maybe uninstall any new things insalled but only new thing is avast 30 day trial off c net and its a trusted site maybe it didnt install wright but it works proper good it catches things straight away and shouts it down my speakers sometimes shits you up better than a little pop up. another thing why call it a decomp bomb i mean as soon as u see bomb u aint gonna touch it if u wanted people to open the file or if your scanner picks it up and its called decomp helper u might think scans got it wrong and open it and ******. anyway thanks for the informing site any ansers please
-
Um one more try without typos. I got this on my computer, my avast said it was “error the file is a decompression bomb” i have little knowledge and i tried move it to chest, but it wont do that, i scanned a full system scan 3 times and it wont delete og move. So i guess i am in so bad luck i got virus thingy and my computer is going wonky my opera browser stops and freeze and i have to reboot often i don’t know what to do with this shit and after 1 day with out any luck im pissed off! pleas help!
-
I heard that Avast was a better AV than AVG, so I installed & ran it today. It said that one of my games is a decompression bomb. I’ve never had any problems playing that game & it hasn’t messed up my system. Should I uninstall the game?
-
the avast decompresssion bomb alert is a false positive it does it on rar files that I know are just plain rar files.
the bigger the rar file is the more likely avast will say it is a d bomb.
I checked this on rar files I had already decompressed/ unrared, and used the video files within, and avast said some of the rars were D bombs.
for the most part just ignore that alert.
aloit of files AV’s say are trojan are not trojans, you have to use a little common sense.
‹ Previous · 1 · 2
68 comments
Comments feed for this article
Trackback link: http://solitude.vkps.co.uk/Archives/2006/01/08/decompressionbombs/trackback/