Bombs and evolution
Monday, July 24, 2017
In the Dr.Web Security Space documentation, the list of threats Dr.Web for Microsoft Outlook can detect includes "bomb viruses in files and archives".
No more references are made to these mysterious bombs, but there was a time when it was vitally important to be protected against them!
Recall, that, among other things, an anti-virus is also a versatile decompressor. It parses files and extracts archived contents in order to detect viruses or Trojans.
And here is where problems may appear. For example, a compressed file may require more space than is available on a disk. Hard to imagine? Meanwhile, it’s quite simple: take a file containing only zeros and compress it. The result will be a small file consisting of an archive header and repeated zeros. How can you create a file whose size will exceed any reasonable capacity on a disk? You don’t have to because popular archiving formats are used to create archives automatically.
Malware for PCs includes programs known as zip-bombs. These are zip archives containing files whose size will increase manifold if they are extracted. For example, one of the most notorious zip bombs 42.zip only occupies 42 KB, but it contains files on 5 nesting levels, with 16 files per level. The size of each file at the last level is 4.3 GB, and the entire archive unpacked will occupy 4.5 petabytes.
Bombs were invented a long time ago to be sent with emails, but they became particularly popular as a means to neutralise anti-viruses.
While trying to decompress such an archive, the receiving node was very likely to either reach the file system entry limit per volume (FAT-16) or run out of free space before the decompression procedure was complete. And there were also mail bombs in zip archives that came attached to messages with creative subjects and texts. Those caused the archive program (pkunzip.exe) to either crash or freeze the machine. Because many nodes operated at night automatically, mail bombs caused a denial of service, and node owners were left without a portion of new email the next day.
What can be the impact of a data-processing error in an anti-virus decompression module? Let's use the following example.
The number of nesting levels is one of the key problems. Usually, three is the maximum. Ten nesting levels are a rarity, but technically the number can be unlimited. As a rule, a decompression program operates recursively: whenever it encounters another nesting level, the current environment’s data is saved and the program launches itself again. The saved information usually occupies a bit of space. But if the number of levels approaches infinity (archives of this kind are crafted manually and preferably with an error, to make extraction endless), at some point the stack (a program's memory area allocated to store temporary data) gets full and the program attempts to store the data outside the stack boundary… This can cause the application to crash or allow malicious code to be executed.
Affected versions: Clam AntiVirus 0.88.3 and lower.
Description:
The vulnerability allows a remote actor to cause a denial of service or execute arbitrary code in the target system. This is possible because of an error in a bounds-checking routine of the "pefromupx()"function in the library libclamav/upx.c. The library is used to extract PE executables compressed with UPX. A remote attacker can cause a buffer overflow and execute arbitrary code in the targeted system.
Unfortunately, bombs can be used to do more than disrupt the operation of anti-viruses. Say, for example, you want to view this image:
spark.png.bz2 (420 bytes)
The 420-byte archive contains a PNG file occupying 6,132,534 bytes (5,8 MB) and an image with a resolution of 225,000х225,000 pixels (50,625 gigapixels). In a pixel buffer allocating three bytes per pixel, the image will occupy about 141.4 GB.
The Anti-virus Times recommends
There were times when hard drives had very limited capacities and RAM didn't exceed 640 KB. Today disks are huge and programs protect themselves against stack and buffer overflow, but among criminals the search for the ideal bomb continues.
There are almost 35,000 variants! And that's only one type!
Don't want to get a bomb in the mail? Protect your system with Dr.Web!
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
05:08:52 2018-07-23
vasvet
21:33:00 2018-06-28