I've never encountered one "in the wild", although I have downloaded them just for fun. If you extract a zip-bomb, it won't do anything to your computer though, it'll just create 16 smaller zip-bombs. If you decompress one of those it'll yield 16 more zip-bombs. As such, they're not going to "explode" when someone opens them, they're just used by malware authors to knock out anti-virus software so malware can work without needing to watch its back. What happens is, a malicious program may plant a zip bomb somewhere near it as bait for AV software. The program will wait until the anti-virus comes up for a routine scan, and it'll wait, "hiding" behind the zip-bomb. When the anti-virus reaches the bomb, it'll try to open it, all in its limited memory. 1 file becomes 16, which becomes 256, and it goes on until the memory is full. In reality though, the computer never runs out of memory because each process is only allowed to use so much memory, after it hits its limit it crashes itself to protect the rest of the computer from an OOM (Out-Of-Memory) event. When this happens to an anti-virus program as it's trying to dig into the file for malware, the software simply crashes and exits, while leaving the rest of the computer unharmed. The malware will detect this, and will then use that opportunity to do whatever it wants, without having to worry about AV software that might be right around the corner. However, most anti-virus software today recognizes a zip-bomb when it sees one, and will skip over it, alerting the user that the computer might be infected with malware.
As for your questions, no, you wouldn't notice disk space being used because zip-bombs only decompress in an anti-virus program's memory, not to the disk. Most manual archive-opening programs don't even
have a recursive opening mode for this very reason. I don't think you'd notice much extra work by the CPU, because zip-bombs work so fast they can knock out an inadequately protected anti-virus program in seconds, while only using a fraction of the total computer's memory.
The zip bomb you're talking about is one of the first ones created, called 42.zip. There are other ones, and there was one I saw that was 6 kilobytes, yet expanded to 4 zettabytes, seriously. And I saw another, an XML-based decompression bomb called "
billion laughs", which basically crashes a web browser by causing the XML parser to run out of memory (most today though will detect such recursive expansion and simply not try to parse the booby-trapped XML).
If you are curious about how it works, you can download 42.zip from
here. And the really, really powerful one from
here (downloading these are safe, and you can even open it. But if you try to recursively extract it it'll take up a LOT of memory, and old AV software will crash upon scanning it).
Sorry for the long post, it's just that I find all kinds of logic bombs really interesting. ^^
Bookmarks