Author Topic: A fix to the archive bombing  (Read 5730 times)

0 Members and 1 Guest are viewing this topic.

c0Ld

  • Guest
A fix to the archive bombing
« on: June 18, 2004, 01:13:18 AM »
I used to use trend micrro's PC-Cillin Internet Security 2004.

It has an option.



After 6 layers of a compressed archive, it gives up and tells you that it failed to scan it because the archive has too many layers.

This could easilly provide a fix, and would be awsome if it could be implimented into avast :)


PS: Sorry if this was suggested before, if it was ignore me :P

Kobra

  • Guest
Re:A fix to the archive bombing
« Reply #1 on: June 18, 2004, 02:00:24 AM »
Holy god, that interface!  Looks like my 3 year old drew it in paintbrush!  =)

Theres two options I see for archive bombs.  KAV engine based products somehow recognize them as "Mail Bombs" with Signatures.  A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.


Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re:A fix to the archive bombing
« Reply #2 on: June 18, 2004, 02:43:19 AM »
Restricting number of levels would certainly be a big step in the right direction, of course.

But am I way off base in guessing that, depending on the particular kind of archiving used, it quite possibly would take very few levels to create unmanageably large files and disk usage?
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:A fix to the archive bombing
« Reply #3 on: June 18, 2004, 02:50:13 AM »
KAV engine based products somehow recognize them as "Mail Bombs" with Signatures.
There're many bombs, you can even modify one very easy: output file will not consist of zeroes but number ones -> it would not be detect by a signature (or output file will 4 static repeated bytes, etc etc - :P).

Quote
A couple other AV's simply allow you to restrict the level of archive scanning down to a set amount of layers.
The bombs may be created in less than 6 layers, really.

We've already found the way how to recognize these bombs, but it will not be easy to implement :'(.

c0Ld

  • Guest
Re:A fix to the archive bombing
« Reply #4 on: June 18, 2004, 03:05:22 AM »
Well, you can set it to only scan up to one layer....

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:A fix to the archive bombing
« Reply #5 on: June 18, 2004, 04:20:25 AM »
Well, you can set it to only scan up to one layer....
It's not a solution: mail_attachment.zip\run_me.exe\run_me.exe - infected (2 layers: zip, upx exe file).

c0Ld

  • Guest
Re:A fix to the archive bombing
« Reply #6 on: June 18, 2004, 05:02:04 AM »
Once it detects the .exe is an archive it stops scanning anyway

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:A fix to the archive bombing
« Reply #7 on: June 18, 2004, 05:32:46 AM »
Once it detects the .exe is an archive it stops scanning anyway

The bomb archive may not contain a virus. It's your turn now ;).
« Last Edit: June 18, 2004, 05:33:04 AM by pk »

c0Ld

  • Guest
Re:A fix to the archive bombing
« Reply #8 on: June 18, 2004, 06:39:43 AM »
So? It still stops scanning it...doesn't matter if it has a virus or not, it cancels the scan and pops up complaining that it had too many layers :P

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re:A fix to the archive bombing
« Reply #9 on: June 18, 2004, 10:44:17 AM »
So? It still stops scanning it...doesn't matter if it has a virus or not, it cancels the scan and pops up complaining that it had too many layers :P

I have a bzip2 bomb (one-byte-content: 500bytes, complex-content: 50Kb) which unpack itself sth around 100GB in 2 layers :P; but yes, we could check decompressed size according to archive size among layers.

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re:A fix to the archive bombing
« Reply #10 on: June 18, 2004, 06:40:36 PM »
I think the last few exchanges on this topic have missed a fairly important point -- a decompression bomb is a menace all by itself, whether or not it also happens to contain a virus.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:A fix to the archive bombing
« Reply #11 on: June 18, 2004, 06:44:53 PM »
The only antivirus capable last LONG (deep to high levles) or totally compression bomb (test on 3GB memory machine and 4GB swap and 10+GB temp) was polish MKS antivirus ...
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive