The term Zip Bombs refers to compressed files that, when unzipped, release a huge amount of data, which the victim's computer cannot process in memory or cannot save to disk, causing the system to crash.
These small compressed files can expand to fill your machine with more data than it can handle. So imagine surfing on Internet and suddenly, your browser freezes, not loading any pages, even though you have a strong connection with your provider.
In this case you may have fallen victim to a zip bomb, or otherwise a decompression bombcompressions) or an encoding bomb.
But let's take a closer look at what exactly zip bombs are and what steps you should take to protect yourself from this malicious attack.
What are Zip Bombs?
A zip bomb, which you may also hear as “zip of death”, is a large compressed file that is often sent by malicious users to flood your system or a specific program once you open it. It is common for these bombs to contain malware and viruses.
A zip bomb on your device is not harmful until you open it. Emails are one of the most common ways you might receive zip bombs. These bombs can also accompany downloads from unsafe locations.
You should not confuse a zip bomb with a regular ZIP file. Although called a “zip bomb”, not all zip bombs are ZIP files. A zip bomb can be a program (such as .exe files) or a compressed installer file, not necessarily a ZIP file.
How do Zip Bombs work?
Zip bombs, at first glance, appear to be just tiny files of a few kilobytes, like a standard zip file. However, once you open them up, they reveal their enormous sizes, which can be large exabytes or petabytes. We're talking several million gigabytes of meaningless, nonsensical text or media crammed into a compressed file!
For example, a 5 petabyte file containing only zeros can easily be compressed to 48 kilobytes, because the ZIP compression system can handle repetitive data with great technique, multiplying the compression ratio.
A zip bomb is typically used as the first stage in a malicious attack software and is sent as a trick to distract the antivirus software from the main goal, which is usually to introduce malware or steal and change of data in the system.
This secondary but main goal is accomplished when other malware accesses and infects your PC while your antivirus is fighting the zip bomb.
Types of zip bombs
Zip bombs are different slightly in their composition and, consequently, in their methods of attack. Some consist of files nested within each other, such as Russian Matryoshka dolls, nesting one inside the other, while others are like overlapping sheets stuck together and compressed many times.
However, they all have the sole motive of causing your system and antivirus application to crash.
In general, we would distinguish them into two types, depending on the technique they follow:
1. Recursive Zip Bombs
Recursive Zip Bombs are so named because they exist as a unit of multiple large files nested inside each other. Upon its opening of the original file, all files are opened, one after the other, causing a seemingly endless string of mostly repetitive data.
A famous example of a recursive zip bomb is the file “42.zip”, which appears to be a harmless tiny file of only about 42 kilobytes. This archive contains five levels of nested zip files in sets of 16, each lower level file containing a 4,3 gigabyte file, bringing the final total to 4,5 petabytes of uncompressed data.
This zip bomb is freely available to download online if you look for it, but beware. Even the best computers will be severely stressed and may eventually crash.
2. Non-Recursive Zip Bombs
Non-Recursive Zip Bombs only need one decompression round to unzip all the junk hidden inside.
These can be slightly more dangerous than Recursive zip bombs, as they are less likely to be detected by anti-virus software. Most antivirus applications detect Recursive Zip Bombs because they look for nested compressed files.
How to spot a zip bomb
It is difficult to distinguish between a regular zip archive and a zip bomb at a glance. They are both small in size, seem to take up no space, and need to be unzipped to view.
However, modern anti-virus software applications can detect the data compression technique.
How to protect against a zip bomb
Zip bombs are used as decoys to infect the computer with other software, which is why they are mostly weaponized and used to attack unsuspecting users.
Most attacks come from malicious rogues and you need to protect yourself from the effects of a zip bomb. The best ways to be protected are:
1. Always have a good antivirus software that is always up to date. If you receive a notification from your antivirus about a suspicious zip bomb, delete it without opening it.
2. Only interact with trusted websites. Countless websites on the internet are not secure. Avoid downloading files from sites where you cannot verify their authenticity or safety.
3. Thoroughly check your incoming emails, especially those containing attachments. You may sometimes find that you have received an email from a strange address with an attachment. If you don't recognize the sender, don't open it.
How to get rid of a zip bomb
In the unfortunate event that your device is hit by a zip bomb, you may need to factory reset your device, especially if you've tried to open or unzip the zip bomb.
You can also use applications available online that can scan and remove zip bombs. All good anti-virus software has such a feature.
All you will need to do is reboot your system and the bomb will be gone.