Re: Decompression Bombs [...missed something]

[Andreas Marx <amarx () gega-it de>]

Hi!

> isn't the concept same as the one I produced 3 months ago in...
> http://www.securityfocus.com/bid/8572/info/
> indeed the replica... of my old concept!

No, that's not the case. The history with decompression bombs is much, much 
older. For example, Rob Rosenberger (www.vmyths.com) has created such 
testsets already in 1998 and 1999 (eistpfh.zip). He presented his results 
at conferences (e.g. in 2000) a few times already. He has created several 
test cases and many av programs still have problems with his testset.

His testset includes files like this:
"40,000 small DOTs masquerading as DOCs, infected with CAP virus, 
compressed to 132MB by WinZip.zip"
or "A thousand ZIPs, each with a 1GB EXE which creates a 1GB TXT, 
compressed to 15MB.zip"
or "A thousand ZIPs, each with a thousand ZIPs, each with a 1GB TXT, 
compressed to 21MB.zip"
or "Multiple (2) 1GB EXE files, each which create a 1GB TXT, compressed to 
2MB.zip"
or "A 64MB RTF compressed to 2k (two extra final levels of compression).zip"
and so on.

We (www.av-test.org) have included decompression bombs in our testset as 
well -- for example, our Exchange 2000 (SP1) test of anti-virus software, 
dated 2001-09, included such files. For this, we have tested heavily nested 
zip files (mail bombs, such like the "famous" 42.zip), we have created ARJ 
and ZIP archives with devices names like AUX or LPT1, plus we have created 
archives with paths like "../name.exe". More than 1/2 of all tested av 
products were vulnerable to these attacks at this time -- and it was only a 
small-scale test of such aspects.

cheers,
Andreas Marx

--
BSc. Andreas Marx <amarx () gega-it de>, http://www.av-test.org
AV-Test GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469