A zip bomb is a compressed file that uses a significant amount of storage space when decompressed. When a zip bomb is opened, it will easily take up all the space on the storage unit.
Most Zip files have a compression ratio of 2:1 to 10:1. For example, a 3-megabyte compressed.ZIP file could be expanded to 15 megabytes. A zip bomb, on the other hand, can have a compression ratio of more than 1,000,000:1. A small zip bomb of 40 kilobytes can be expanded to more than 5 gigabytes. A 10-megabyte zip bomb can be expanded to over 280 terabytes.
Zip bombs achieve astronomic compression ratios using one of the following two methods:
- Recurrent compression
- Overlapping of files
Recursive compression, the most common way to create a zip bomb, stores layers of compressed files in a single folder. When the primary archive is decompressed, the nested archives are recursively extended. As multiple layers of compressed files are opened, performance increases exponentially.
You can also create a zip bomb using overlapping files. Instead of storing layers of compressed archives, the archive contains multiple directory headers which point to a single file. By “overlapping” files inside the folder, the maximum compression ratio of 1,032 can be surpassed.
Zip bombs are known to be malware since they can be used for malicious purposes. For example, rapid decompression will allow the use of 100% of device resources, making the machine unresponsive. Luckily, most antivirus programs can detect zip bombs and warn against opening them. If you unknowingly open a zip bomb on your PC, most zip utilities allow you to avoid decompression in the middle of the phase.
How does Zip bomb work
It works by overlapping files within the zip container to refer to a “kernel” of highly compressed data in multiple files, without having multiple copies of it. The output size of the zip bomb grows quadratic in the input size; i.e. the compression ratio increases as the bomb grows larger.