Submitted by [deleted] t3_ydcv2u in explainlikeimfive
[deleted]
Submitted by [deleted] t3_ydcv2u in explainlikeimfive
[deleted]
So you just suck out the excess in this case, and then you add it back later?
They aren't actually compressing something that already exists, they're creating a file that tricks the decompresser into creating a lot of files out of nowhere.
Like imagine you have instructions for creating a book, and the instructions read, "put a 1 on each page, and print a million pages"
You don't actually have to have an existing million page book to write those instructions, the decompresser/book maker will follow those instructions anyways. The (instructions for making a book/zip file) is really tiny, but the end result is huge.
A compressed file is a description for the decompression tool as to how to generate the original content. If the decompression tool follows the descriptions in the compressed file step by step it will end up with the exact same data as the compression tool got as input. A zip bomb however is not made by any compression tool. Someone made the "compressed" file by hand creating instructions that would be impossible to follow without consuming infinite amounts of CPU, memory and storage.
So it's not possible to compress an already made file this small?
Please read this entire message
Your comment has been removed for the following reason(s):
Although we recognize many guesses are made in good faith, if you aren’t sure how to explain please don't just guess. The entire comment should not be an educated guess, but if you have an educated guess about a portion of the topic please make it explicitly clear that you do not know absolutely, and clarify which parts of the explanation you're sure of (Rule 8).
If you would like this removal reviewed, please read the detailed rules first. **If you believe it was removed erroneously, explain why using this form and we will review your submission.
It's basically a code telling itself to write more code, so the initial instructions don't need to be large at all.
Simple example:
1 Set "number" equal to 0
2 Set "number" equal to (number+1)
3 Save number in new file named "(number)"
4 Go to step 2
So in this entirely fake program, the idea is it will start with a variable =0. It will then change that variable to 1. Then it will make a save file called "1." Then it will change the variable to 2, and make a save file called "2." And it just keeps repeating, adding one more and then creating a new file in your computer. This would eventually take up every single bit of free memory and it will never stop running.
That book is a great example.
It's not possible for an already made file like that to exist. Unzipped zip bombs can be many thousands of petabytes, which are themselves a thousand terabytes each. Most computers have a few terabytes of storage at most (which is the point of the zip bomb) and even if they did, unzipping files that big would potentially take years (also the point of the zip bomb).
If you started with an actual file to compress it would take up that much space and take that long to compress. You'd zip bomb yourself.
Only if it's something simple, like you could compress an incredibly large blank white image down really tiny. And then you could edit the zip file to say there's actually a million of them in there.
But for the most part that's not going to work as well.
At a very basic level, compression just takes the existing data and finds a shorter way of writing it. Let's say I had a list like:
Apple
Apple
Apple
Banana
I could compress the list, rewriting it as
3 Apple
1 Banana
And the same amount of data takes up less space. But it still takes up some amount of space. And the amount of space it takes up is directly related to the format of the list.
Apple
Apple
Banana
Apple
For instance would have to be compressed into
2 Apple
1 Banana
1 Apple
Which takes up more space, even compressed. So any meaningful data you have has a lower limit on how small it can be and still be useful. A zip bomb would be like sitting down and maliciously making a list that, when compressed, says
99999 Apple
The compression is very small but the output is very large.
TLDR: You can construct a file that compresses into a miniscule file size, but most real files that contain usable information won't.
Different tools will have different limits, but some antiviruses consider anything with a compression ratio greater than 90% to be a zip bomb. It isn't difficult to make such a file, just a 4KB file filled with zeroes will have around 178 bytes when zipped, which is a 96% compression ratio. And you can easily do this yourself.
However, this file is not really large enough to be malicious. To be malicious, you'd have to use a larger file. For example, a 1GB zip with that compression ratio would take up 23GB when unzipped, which could easily be seen as malicious depending on the content.
If you want to create an even larger zip bomb, you probably won't have enough space on your system to compress a file, but you would just manually modify the zip structure so that instead of saying 4000 zeroes it says 40000000000000 zeroes. This would give you a compression ratio very close to 100%.
You don't have to compress the results of the bomb, just the means to make the bomb.
For example, you write an instruction for the computer to calculate pi to 1 million places. You don't need to calculate pi yourself and compress the million characters. The zip file telling the computer to calculate pi is much smaller than 100 digits of pi.
[deleted] OP t1_itrd1gn wrote
[removed]