Comments on: Decompression Bombs

By: Wendy F.

Wendy F. — Tue, 23 Feb 2010 08:06:38 +0000

Tonight, 4 days after Dell replacing my mother board after a crash, Avast!4 found 4 decompression bombs in my Recycle Bin. They had nothing in common which was weird. (…localization.xml, …patch.bat, …InetLoad.dll,
…wikipedia.bmp) I freaked, then tried all the Avast! anti-virus options to get them out without luck. Then, I emptied the bin. (Genius! LOL) Now, I’ve read all the chatter and realize there is more than one way to skin a skunk!

By: Kwabena Adu-Kumi

Kwabena Adu-Kumi — Mon, 15 Feb 2010 11:53:10 +0000

Hello,

I performed a full scan on Drive “C” on my computer. After the scan, I had the following results: Five (5) of the files are decompression bomb. I do not understand this term? What should I do to these files? Do they have any damaging effect on the rest of the files or the drive “C” itself?

By: Chris Olsen

Chris Olsen — Sat, 10 Oct 2009 06:01:38 +0000

I think Chris and Gary Fleming are onto something. I got the warning using Avast, also. I’ve pretty much determined that it’s a problem with Avast. I downloaded a warez version of Maple 13 by Maplesoft. I got the Avast warning of a bomb in a “.jar” file. So I just coughed up 100$ to purchase the student version of Maple 13 and scanned the authentic version from CD, and it still came up with the bomb warning on a “.jar” file. So I got the bomb warning on both the warez and the trusted vendor version of a very popular program.

By: Gary Fleming

Gary Fleming — Thu, 25 Jun 2009 18:25:37 +0000

Good question, Chris. I don’t know for sure but perhaps Avast is either particularly good at or overly aggressive in trying to find decompression bombs. You decide which.

By: Chris

Chris — Wed, 24 Jun 2009 19:30:42 +0000

Almost every post that I’ve read on this subject seems to mention running Avast and seeing these show up. Why does it always seem to come from Avast?

By: mandy

mandy — Sat, 14 Feb 2009 17:50:43 +0000

Thankyou for this discussion. Really helpful. Avast has just found a decompresssion bomb inside an old zip file [from end of 2007] of emails and addresses from eudora. The only file it objects to is an old log file. Can I delete the log file, without decompressing, while retaining the rest of the zipped files inside this zip file I use Winzip. I use windows xp but am not very computer literate

By: Stan

Stan — Thu, 20 Nov 2008 10:32:44 +0000

Thanks for demystifying the ominous-sounding DECOMPRESSION BOMB. My Avast virus scan came up with one of them for the first time today, and I thought at first I was UNDER ATTACK, but now I know it’s all a NON-ISSUE. The “bomb” in question turned out to be a porn video which I simply deleted…CASE CLOSED. This discussion has been VERY HELPFUL!

By: Bill B.

Bill B. — Sun, 16 Nov 2008 23:16:51 +0000

Well, I have run PCs for maybe 9 yrs at home and been a user another 8 or so in an industrial setting. I have just today found my first “D-bomb”. Actually Spybot – Search & Destroy found it. I have faithfully run Avast, Spybot, Ad-Aware, Defender each week-end, and this is a first for me. I am not certain whether to try to delete it or just wait to see if some other scanner does the task for me. However, I will say that this entire discussion has been very educational to me. Thanks to all who contributed. If any other suggestions on what to do on this issue, let me know. Bill.

By: Gary Fleming

Gary Fleming — Sun, 05 Oct 2008 14:36:17 +0000

Zephiris: you’re right and wrong. Yes, most programs will deal with this in a reasonable way (spooling to disk is a great way of dealing with decompression bombs — as mentioned in the part 2 comments), but there are plenty of programs that still deal with this poorly. For an example, have a look at what something like Firefox does when confronted with an image-based decompression bomb: you’ll get a frozen browser and probably a maxed out CPU. Sure you can just kill it, but it’s pretty annoying and means a potential loss of data.

And yes, it has affected corporate servers in the last few years. I’m not saying that’s anything but a mismanaged server, but sadly people don’t see all the angles all of the time.

Now, this is nowhere near as big a deal as it was when I first wrote the piece (where just about every compression tool tested would fail under some form of decompression tool), but it’s still quite a clever side-channel to use as an annoyance and to say it’s not a problem at all is misleading at best.

By: Zephiris

Zephiris — Sun, 05 Oct 2008 02:06:19 +0000

This is one of the worst examples of scare tactics I’ve ever seen. There’s no such thing as a “decompression bomb”.

If you compress something down very small, good for you. When you try to open it, it doesn’t somehow automagically decompress and make everything explode.

Compression utilities use a memory frame for converting compressed data to decompressed data, and vice-versa. This is directly based on the ‘dictionary sized’ used for compression. It’s much larger for compression than decompression.

If someone sends you a 100GB file, you don’t need 100GB of memory to decompress it. That’s just inane and ’scary’ to suggest. If someone uses a 16MB dictionary size (very common), you only need some 20MB free to successfully decompress.

Depending on compression methods, the maximum dictionary size might be 1MB, or 1GB, but I’ve yet to see anything with a dictionary size of more than 1GB, and never seen anyone use that size. Using presets will typically allow 64MB or less.

The average compression program allows you to easily see the contents, and size (both before and after) by default, before any real decompression is done.

You could theorhetically take up someone’s disk space with such an “attack”, but it’s effortlessly remedied by DELETING the file. This can’t be embedded into anything else, either.

Even comprehensive anti-virus will only scan the first N megabytes of a file by default, or skip things it estimates will take too long. It won’t load the entire file into memory at once then, either.

In such a technical era, it’s ridiculous to come up with this stuff. It was potentially a problem -way- before there was decent software to handle things, but it’d be an extremely unlikely scenario to affect any consumer-level computers built since 1999, let alone corporate ones, or servers.

I don’t think that corporate mail server with 64GB of memory is exactly going to be spending an hour trying to decompress a random ultra-compressed file on its own. Even if it were…that’s not the only process running. It doesn’t somehow “lock up” , which was a problem in the DOS and Windows 3.11 days.

Worst case scenario for a reasonably configured server, that server will churn away…but keeps servicing other requests, marginally slower. It won’t run out of memory. Disk space won’t be exhausted, because users have enforced quotas. Once it expands large enough, it’ll stop expanding, it’ll often delete since the process isn’t complete.

It just isn’t a serious issue, either consumer or corporate, if things are configured in a reasonable way. These days, that’s usually done by default, so to be vulnerable…it would take a great deal of deliberate misconfiguration, and user/sysadmin stupidity. In which case…it’s still not an issue, let alone a serious and crafty attack.