decompression bomb (zip bomb, zip of death attack)

What is a decompression bomb?

A decompression bomb -- also known as a zip bomb or zip of death attack -- is a malicious archive file containing a large amount of compressed data. When the file is opened, it can crash the program that's reading it and wreak havoc on the rest of the system. A decompression bomb is often used to disable an antivirus program.

A decompression bomb can be a zip file, a compressed installation file or a program .exe file. One infamous zip bomb is a zip file called "42.zip." The file is only a few kilobytes, but when it's decompressed, it uses up to 4.5 petabytes' worth of space on the disk.

How do decompression bombs work?

The classic decompression bomb is a tiny zip archive file -- most of which are measured in kilobytes. But the contents of the file when it's unzipped are more than the system can handle. A typical zip bomb file can unpack into hundreds of gigabytes of useless data.

More advanced decompression bomb files can go up to millions or even billions of gigabytes -- also known as petabytes and exabytes. Instead of hijacking the normal operation of a program, a decompression bomb lets the program work the way it's supposed to work. But the archive file is crafted in such a way that unpacking it requires excessive amounts of time, disk space and memory.

How are decompression bombs used?

Decompression bombs are typically used for malicious reasons. Threat actors use zip bombs to disable a system's antivirus software. After disabling it, hackers can access the system to infect it with other malware -- including viruses, spyware and ransomware.

Zip of death attacks are mainly used to occupy virus scanners. Antivirus software scans the contents of compressed archive files to ensure they don't contain malicious software. But because of the nature of zip bombs, it may take the virus scanner days to scan it. The virus scanner can even monopolize all system memory or crash if it's scanning a recursive decompression bomb file.

While the virus scanner is dealing with the decompression bomb, other malicious software can sneak in and infect the system.

How do you locate a decompression bomb?

Most modern antivirus programs can detect zip bombs by looking for overlapping files. They know not to unpack layer after layer of recursive data, which is a sign of a decompression bomb.

Often, antivirus software labels a file a decompression bomb when it is not actually a bomb. To determine if the file is actually a zip bomb, users can Google the file name to see if others are reporting a problem with the same file.

There are some additional precautions that users can take to protect their systems from zip of death attacks, including the following:

• Don't unzip files that are 2 KB or larger.
• Use authentic antivirus software, such as Avast and Norton.
• Only download files from trusted websites.

How do you get rid of a decompression bomb?

To remove zip bombs from computers, users can use the Reimage computer repair tool or a similar software. Reimage detects malicious files and items in a system. Once the repair process is complete, the decompression bomb file will be removed. Users should then restart their systems to complete the process, checking to see that the decompression bomb has been removed.

What are the effects of a decompression bomb?

On its own, a decompression bomb doesn't cause damage to a system in the same way as a traditional computer virus. However, opening a file labeled as a decompression bomb will cause the system to instantly hang, ultimately crashing and causing data loss.