Let’s say you download a file you do not trust. What do you do? Well, you run it through an anti virus scanner to see if it is safe, of course!
Question: why do you trust the anti virus scanner? And why do you assume you can trust it’s results?
Time for a little thought experiment: let’s consider a 4 TB file consisting of nothing but zero bytes. That’s pretty big, but it also easily compresses down to only 4 MB when you zip it. Now take 16 of those zipfiles and zip them again. Repeat five times. What you get is called a zip bomb. If you handcraft the thing, you could squeeze 4.5 PB into just 42 bytes. That’s 42 bytes of information that will easily fill up your entire hard drive if fed to the unzip algorithm.
Now assume, you gave such a zip bomb to an antivirus tool. What would happen?
- Case 1
- The AV software only sees compressed data, but no executable code and therefore declares the file to be save. This is obviously wrong. The AV software failed.
- Case 2
- The AV is “smart” and knows that zip files may contain malicious code, so it starts decompressing the archive in order to scan the contents. In doing so, it will become the agent of destruction itself (in the past that was a popular attack to kill mailservers). The AV software failed.
- Case 3
- The AV software is even “smarter” and only decompresses the first couple hundred megabytes for scanning. Finding nothing there, it deems the file to be save. See case #1: the AV software failed.
- Case 4
- The AV software is “really smart” and labels every “zip in zip” as malicious. This is also wrong. A zip bomb is a “zip in zip”, but not every “zip in zip” is a bomb. The AV software failed.
Now, naively, we could say, case #4 is good enough. The AV software errs on the side of caution and there really is no point in an archive containing other archives, anyway. Except, there is. Take Raccoon for example. It is written in Java and since a lot of windows users have no clue what to do with JAR files (those are ZIP files!), I also provide an EXE wrapper for the sake of convenience. Of course, those users who are clueless about running Java programs tend to be jsut smart enough to run their downloads through AV scanners. Some of those see a “zip in zip” structure and in the end I have to deal with users that are spooked by false positives.
Worse yet, the false positive (the AV software failing to do it’s job) will ironically be seen by most users as the AV doing it’s job!