What Is a Decompression Bomb?by Paul Higgins
If you recently ran a full system scan of your computer using Avast Free Antivirus, the program may have informed you that a file on your hard drive is a decompression bomb. A decompression bomb is a malicious compressed file designed to crash your anti-virus application or your entire system. Because decompression bombs rely on file compression technology, understanding how they can bring your system to a crawl requires you to first know how programs such as WinZip or WinRAR compress files.
File Compression 101
A file compression algorithm's job is to reduce the size of a file, thereby turning, for example, a 700MB movie file into a 500MB RAR file. To reduce a file's size, a compression program needs to first read that file and analyze it.
As you may already know, the content of any computer file is made of a series of 0s and 1s, known as binary code. A compression algorithm's job is to go through that binary code and look for patterns.
You rely on patterns in the real world too. If you had to dictate a large number over the phone to a friend, you would probably look for patterns as well. For example, instead of spelling out 10000000001, you may say one, eight zeroes and one.
A binary code fragment such as 11110000 contains two sets of repeating numbers -- four 1s and four 0s. To make that fragment smaller, a basic compression algorithm may rewrite that fragment as 4x1 4x0 (four times 1 and four times 0), therefore turning a fragment that used to take eight digits into one that only uses six characters.
While such patterns are useful when it comes to making your holiday photos small enough for you to email to your friends, hackers can also use them for much more nefarious purposes.
Anatomy of a Decompression Bomb
Decompression bombs contain code that generates extremely long patterns. They are the equivalent of telling your friend over the phone to write down one, followed by a trillion zeroes. While that sentence contains only seven words, it could cause your friend to theoretically spend years writing down zeroes and using an inordinate amount of paper in the process.
Similarly, a ZIP or RAR file may seem small but it contains instructions that can generate extremely large files. The world's most powerful decompression bomb is only 5KB in size, but it can generate a 4ZB file -- one zettabyte being the equivalent of one trillion gigabytes -- when uncompressed.
Uses of a Decompression Bomb
Many anti-virus applications automatically open downloaded compressed files to check whether they contain malicious software. Decompression bombs, due to the size of the uncompressed files they generate, can overload an anti-virus program in an attempt to prevent it from analyzing another virus present in the compressed file.
Opening a decompression bomb manually can also lead to unfortunate consequences. When a decompression bomb uses a large amount of resources to unpack the file and generates a file that is larger than the space available on your hard drive, it may bring your computer to a crawl and ultimately cause your operating system to crash.
Always scan all downloaded files -- especially if they are compressed files -- with a reputable anti-virus application before opening them. Additionally, don't download files, compressed or not, from sites that you don't trust.