Home

 › 

Articles

 › 

What Is a Zip Bomb and Why Is It Dangerous?

zip bomb

What Is a Zip Bomb and Why Is It Dangerous?

Key Points

  • Zip bombs are small malicious files that can crash or damage a PC by utilizing serial compression techniques.
  • Recursive zip bombs activate a chain reaction of decompression that overwhelms even the strongest PCs.
  • Zip bombs can be found in various file formats, not just zip files, making them harder to detect.
  • Zip bombs pose a danger to systems and can be used as a first wave in a cyber attack.
  • Mitigation and prevention of zip bombs can be done through malware scanners, reimaging affected machines, and education on reputable sources.

Imagine receiving a small file from a co-worker through your email, only to open it and crash your entire PC. This isn’t a fictional scenario, but rather the aftershocks of a zip bomb. Zip bombs are malicious files with quite a bit of forethought into how they work.

So, some exploration into what a zip bomb is, what it does, and how you can prevent or mitigate it is needed. These files often serve as a front-line attack of sorts for bad actors.

What Exactly Is a Zip Bomb?

A zip bomb, zip of death, or decompression bomb are all the same thing. These files are small by design, making them easy to transport or trick an unsuspecting user into downloading. Once activated, they start a chain reaction, utilizing serial compression techniques to eventually crash or damage a PC.

There are a few different methodologies that go into designing an effective decompression bomb. On the surface, they are harmless files. In fact, you can completely avoid an attack by just not double-clicking on one. Once activated, the compression techniques often sap your computer’s resources and fill the hard drive to capacity.

A humble zip file of only a few kilobytes could readily contain petabytes of junk data. So, it is best to exercise due diligence when it comes to handling files you download from the internet. The worst-case scenario for any user is the loss of computer functionality, and this is a surefire way to have it happen.

The Types of Zip Bombs

zip bomb
Zip bombs use common compressed file formats to attack a computer.

As you might imagine for a cyberattack, a zip bomb comes in a variety of different configurations. Here are some of the most popular used and how they work.

Recursive

A recursive zip bomb is like a malicious nesting doll. It has a top-level archive that activates a chain reaction that is impossible to stop once in motion. A famous example of a recursive zip bomb is 42.zip, which is named because of its 42-kilobyte file size.

42.zip’s actual file size once fully decompressed is around 4.5 petabytes, far exceeding storage options on most PCs. Once activated, a string of files decompressing begins, which can overwhelm even the strongest PCs.

Non-Recursive

Non-recursive zip bombs have the same overall goal as their recursive counterparts, but they go about things in a different manner. Instead of relying upon chained rounds of decompression, these operate more like a massive explosion of data. Once activated, a non-recursive zip bomb is far more destructive from the onset.

You might have the same smaller file size, but it explodes outward into massive amounts of junk data, which often overlaps to overwhelm your system. Non-recursive decompression bombs are harder to detect by design. Most malware and heuristic software analyzes these files based on recursion, so further care needs to be exercised for a non-recursive one.

Other File Formats

Zip bombs aren’t solely relegated to zip files. In fact, numerous compressed archives can serve as an attack vector. When you think about it closely, file types like .jar, .docx, and .exe files all act as compressed archives. This means there are plenty of avenues for a malicious attack to be launched.

As such, you can’t rely solely on the knowledge that a malicious file is going to be a zipped archive. It very well could be a more common attachment used in business like a PDF or Word document. Thankfully, if these files rely on recursive techniques they’re easier to detect.

However, you’ll need to exercise caution regardless, a malware scanner is a great preventative means. That said, your own common sense and education should come first, especially with dodgy attachments and files.

Why Is a Zip Bomb Dangerous?

Decompression bombs, like any other cyber attack, pose an inherent danger to any system. Yes, you can mitigate them, but all it takes is one error to wreak actual havoc on a system. In most organizations, the weakest link is the least aware individual, so the threat of such an attack is a very real thing.

Risks Posed

So, when thinking about the dangers these files pose, there are a few things to keep in mind. One is that a system will crash outright when the memory, storage, and processor threads are all taxed beyond a recommended level.

Computers are made to be used, but a decompression attack exploits system resources to make it inoperable. In fact, once activated, these files could take down a mission-critical piece of equipment. Servers are effectively just computers, as they run the same operating systems and use similar components.

A zip bomb being activated by accident on a server or security workstation could cripple an organization for an extended period. In fact, some malicious actors will often utilize zip bombs as a first wave in a cyber attack.

What appears to be a malicious virus could lead to an open door for a hacker to come in and access systems. As such, you’ll need to implement a few changes in your personal computing habits to stay safe and keep your computer out of harm’s way.

Mitigation and Prevention of Zip Bombs

zip bomb
One of the most common ways to remediate a zip bomb is to restore from a known backup.

There are some ways to mitigate and prevent the damage a zip bomb can cause. These solutions don’t require a complete overhaul of security, but rather some minor changes in your computing habits.

Malware Scanners

Malware scanners like Malwarebytes or Microsoft Defender can typically identify recursive zip bombs with a degree of ease. Recursive zip bombs are the most common sort, so there are often examples and definitions that a scanner can use as a means of detection.

Malware scanners aren’t foolproof by any measure, as you can see with the likes of non-recursive zip bombs. However, you can implement malware scanners across a whole slew of workstations and servers, which should at least provide a degree of protection from recursive zip bombs.

This isn’t a complete solution, but it is a start. You’ll want to run regular scans on files you download from your email, websites, and other locations to make sure they are safe for use. It might seem like a pain, but it certainly beats having to format your PC during work hours.

Reimage Affected Machines

If you’ve got a machine or system affected by a zip bomb, there really isn’t much you can do to recover the computer. The hard drive is filled beyond capacity, and it might not even boot to the operating system. As such, your only recourse might be to reimage or restore from a known backup.

This isn’t the most ideal option for most users, as your average home computer isn’t going to have archived and dated backups. However, if you’ve got your important files stashed on another hard drive or in the cloud, a reinstall might be in order.

You’re wiping the slate clean, which can take some time. However, you at least know that using a good system image or backup means the computer is back in action without any of the effects of the zip bomb still being felt.

Education and Reputable Sources

One of the most effective means of prevention is always going to be education. You don’t need to be a cybersecurity specialist to at least understand some of the more common threats posed to your daily computing.

Zip bombs typically have a few different methods of delivery, with websites and email attachments being common. You, or your business, should be constantly aware of the threats posed. If it looks like a disreputable email or website, you shouldn’t click on it.

Reputable sources are easy to verify. Typically, hackers aren’t going to rely on complete accuracy when sending an email or linking to a web page. Keeping aware of the sender or the URL can go a long way toward preventing a zip bomb from being unleashed on your system. You can also download zip bombs by accident when searching alternative sources for downloads. As such, you’ll only want to trust known sources for files.

Summary Table

Type of Zip BombDescription
RecursiveA recursive zip bomb is like a malicious nesting doll. It has a top-level archive that activates a chain reaction that is impossible to stop once in motion. A famous example of a recursive zip bomb is 42.zip, which is named because of its 42-kilobyte file size.
Non-RecursiveNon-recursive zip bombs have the same overall goal as their recursive counterparts, but they go about things in a different manner. Instead of relying upon chained rounds of decompression, these operate more like a massive explosion of data. Once activated, a non-recursive zip bomb is far more destructive from the onset.
Other File FormatsZip bombs aren’t solely relegated to zip files. In fact, numerous compressed archives can serve as an attack vector. File types like .jar, .docx, and .exe files all act as compressed archives. This means there are plenty of avenues for a malicious attack to be launched.

Frequently Asked Questions

Is there any way to stop a zip bomb once it is activated?

Typically, no, you’re coming along for the ride. Once a zip bomb is activated, the damage is going to be done, and there is often little recourse available.

Are there ways to check zip files?

Absolutely, it really depends on the method, however. Most recursive zip bombs can be found with a malware scanner, which is freely available. Depending on the business, checksum files might be available for archives as well.

Do zip bombs only work on Windows?

No, they pose an inherent risk to any operating system. Compression methods might differ between operating systems, but a zip bomb poses a risk to Linux, Mac, Android, iOS, and plenty of other operating systems in common use.

Can I rescue a computer from a zip bomb?

Yes, but this is done through backups or formatting the primary storage.

Does a zip bomb only comes as a zip file?

No, it can use any archival format that uses compression.

To top