Malware: Bombs away

Shawna McAlearney, News Editor

Compression formats, such as the popular .zip, are the bane of the antivirus industry, as unsuspecting users unleash worm after worm hidden within compressed files. Now, they pose another threat.

Peter Bieringer, a security consultant at Germany-based network security company AERAsec, says so-called "decompression bombs" cause many popular antivirus engines to crash when they attempt to decompress gigabytes of data and scan hundreds and thousands of files for viruses. The result can be a denial-of-service attack against applications or systems because of the heavy processing load.

According to AERAsec, antivirus products from Trend Micro (fix available), Network Associates, Kaspersky Labs, Sophos, FRISK and AMaVis are prone to the problem. Some Web browsers that support gzip transfers -- including versions of Mozilla, Opera and Konqueror -- are also susceptible.

Bieringer warns that issues can arise any time the decompressor works only in a dump mode. He recommends implementing limits during decompression -- maximum depth of recursive compressed files, the amount of disk/memory-space available and the number of files created -- and adding an anomaly checker with configurable limits.

    Requires Free Membership to View

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: