A zip bomb or zip of death, is a malicious file that appears innocent, that hides a huge amount of compressed data nested in different levels, so that in a very small zip of few kilobytes, gigabytes of data can hide.
Unzipping these types of files can crash your computer causing a buffer overflow, but none at the level of the “ultimate” bomb created by the engineer David Fifield, capable of “exploding” a zip of just 42 MB in 4.5 PB, it is say, four and a half million gigabytes.
As the engineer explains on his website, the novelty is not the zip bombs themselves, but the technique that he has developed to “make them better” because they do not depend on recursive decompression. Compression pumps that use the zip format must deal with the fact that the algorithm most used by zip readers cannot achieve a compression range greater than 1032 to 1, and therefore they rely on recursive decompression.
Recursive decompression works basically like an inverted Russian doll, that is, the files get larger as the layers are decompressed. By nesting zip files within zip files, an additional factor of 1032 is achieved for each layer.
Now this only works if you decompress recursively, that is, layer after layer, after layer. If someone unzips one of these files only once, it is perfectly safe, although they can be decompressed to infinity as in experiments like Zip File Quine.
Ransomware: what it is, how it infects and how to protect yourself
From 42.zip to Zip64
This is where Fifield’s achievement comes in: inspired by 42.zip, one of the most famous zip bombs in history, capable of expansion from a mere 42 KB up to 4.5 petabytes, provided all its layers are recursively decompressed, the engineer has made his own pump with a technique that allows you to raise the compression range to 98 million.
Fifield ignores the maximum compression rate of 1032 by overlaying files on top of others in the compression process, creating a more compact file on a single layer, without recursion.
42.zip in compressed size weighs 42 kilobytes, while uncompressed non-recursively it barely exceeds 5.5 GB (exceeds the compression range 129 thousand times). Whereas, recursively it can reach 5.5 PB.
Fifield zip bomb with a size of 45 megabytes, reaches 4.5 petabytes is a non-recursive decompression, exceeds the compression range 98 million times. To be able to achieve this, I also need to use Zip64, an extension of the zip format that raises the size of certain header fields to 64 bits, or it could not go beyond 281 TB of output, no matter how cleverly packed the zip package possible .
Although Fifield’s zip bomb is less compressed than 42.zip, meaning it needs a larger file (44 KB vs 45 MB), his bomb explodes into a file the size of almost all the data that Event Horizon captured to grab the first photo of a black hole, which are so many that it was easier to send by plane than by Internet.
Although it is very difficult for you to get one of these bombs out there, despite being a new technique, the same researcher points out that in their tests some antivirus programs easily identified it as a zip bomb. However, these findings remain important for advancing the field in the future, and for raising awareness of the existence of these techniques.