Protection against compression bombs?

Discussion in 'other security issues & news' started by MikeBCda, Jun 18, 2004.

Thread Status:
Not open for further replies.
  1. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Hi all,

    I was totally stumped for a proper home for this one -- so if one of the mods can think of a better place for it (preferably not the trash ;) ), feel free to move it.

    Compression bombs are nasties -- which might be just random data or might also contain a virus -- which include several nested layers of archiving, so that they're monstrously huge compared to the "visible" package. What appears to be 100k or so can wind up 100 gigs or more if you try to expand them.

    Most a-v scanners will crash because there's simply no room to expand the files so they can be scanned. Some of the better ones can be set so they'll quit after discovering x-many levels of archiving, where you can often adjust the value of "X".

    But that's only a halfway measure, because the type of archiving has as much effect on how much it's compressed as how many levels of archiving there are. So theoretically you could get an unmanageable monster from only 2 or 3 levels, if I'm not mistaken.

    Over at avast they're arguing this one, but in the context of how do you detect the existence of a virus in such a beast. They seem to miss the point that such a bomb is a destructive type of malware all by itself even if there's no "payload".

    Is there any kind of security software that can detect such bombs without actually going through the repeated levels of decompression?

    Thanks, and best to all,
    Mike


    Mike it really didn't need to be moved but since you ask==bigc ;)
     
Loading...
Thread Status:
Not open for further replies.