Cyber Security Alert: Beware of Zip Bomb Attacks!

Summary: This 3-minute article explains the cyber security threat posed by zip bombs. Learn how to protect your computer system from a zip bomb attack. Contact DIGIGUARD CYBER SECURITY at 833-33-CYBER (833-332-9237) or visit www.DIGIGUARDsecurity.com for a cyber risk analysis and to discuss the best methods to protect your business from cyberattacks.

What Is a Zip Bomb?

Zip bombs have been around since the late 1990s. They rise and fall out of popularity in the cybercrime world. However, many users have not heard of them and know nothing about zip file security. Wikipedia (https://en.wikipedia.org/wiki/Zip_bomb) states, “In computing, a zip bomb, also known as a decompression bomb or zip of death, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software in order to create an opening for more traditional malware.”

Most computer users have created or opened zip files (compressed files), which are made smaller for ease of storage and file sharing. However, hackers have learned to apply the same compression principles in crafting zip bombs that appear to be small files but, when opened, become thousands of times larger than the compressed files.

Zip bomb downloads can seem small and benign until they are unpacked. In one well-known experiment, a programmer created a zip bomb compressed to 46 MB that, when downloaded and opened, unzipped into a 4.5 PB file (over 1 billion MB). Data files of that magnitude will overpower most computers' RAM and storage memory solely due to their size.

Therefore, zip bombs are a form of DoS attack (Denial of Service) in that they can stop all computer functions. Imagine the far-reaching, destructive power of a zip bomb loaded with more data than your computer can handle and a payload of malicious software. To make things even more confusing, zip bombs are not always ZIP files. Instead, they can be compressed programs or installation files, which often makes it harder for users to detect them before opening them.

A zip bomb can be the launch point for a malware attack targeting your entire computer system. Although your antivirus software might detect and engage the zip bomb, it is distracted from addressing other malicious software already infecting your computer. To become more prepared to avoid zip bomb threats, it is essential to learn about the different forms they might take.

There are two main types of zip bombs:

• Recursive Zip Bombs consist of “nested,” overlapping layers of archived files. Once activated, they unpack and pop open, one after another, until they completely overload your system with a repetitive string of data and spread malicious code to specifically targeted applications system-wide.
• Non-Recursive Zip Bombs are comprised of compressed files, which, once unpacked, go right to work overwhelming a computer system and spreading malicious code. Unfortunately, non-recursive zip bombs are more difficult to spot because many antivirus programs only detect recursive zip bombs.

How to Spot a Zip Bomb Attack

Recursive zip bombs can be detected by most premium antivirus software. The antivirus program can identify overlapping recursive files and alert the user without opening them. However, non-recursive bombs are much more challenging to detect. Fortunately, zip bombs are not very common. In the case of non-recursive zip bombs, user cyber security best practices and training are crucial to avoiding an attack:

• Think Before You Click – As with most cyber threats, avoiding zip bombs frequently comes down to the attention and diligence of users. If you are not sure whether a zip file is safe, don’t open it. Cybercriminals count on user impulsivity and hope their targets won’t stop to analyze zip files before opening them. One wrong click could unpack a zip bomb, overload your system and bring your SMB to a grinding halt.
• Install High-Quality, Up-to-Date Antivirus Software – Current antivirus software can detect many zip bombs and discern whether or not they contain massive amounts of compressed data before they are opened and unpacked.
• Only Download Zip Files From Trusted Sources – A standard rule for all cyber security is to take the time to ascertain who sent you a file. If you receive a zip file from an unknown source, it is better to delete it without opening it than to risk an attack. As computer processors and connection speeds become faster, users must slow down and become hyper-vigilant in watching for signs of cyberattacks.

Setting File Size Thresholds

Robust antivirus and compression software can reduce the risk of a decompression bomb denial of service by setting file size thresholds. Creating a specific limit for the maximum file download size that is low enough to keep your system from overloading is the best way to avoid a system crash caused by a zip bomb. In addition, setting file size limits is an automatic failsafe to stop such an attack before your computer’s resources are overwhelmed.

More than ever, users are the front lines of protection for your SMB’s computer system and network. Codifying and training your employees in comprehensive cyber security best practices for your business will be time and money well spent in securing your hard-earned data and keeping your business efficient and fully operational.