Re: Antivirus scanner DoS with zip archives

[Robert Davidson Security <security () virtual ebbs com au>]

On Tue, Jun 19, 2001 at 08:53:54PM +0200, Michel Arboi wrote:
> --- Markus 'FvD' Weber <fvd () ira uka de> a écrit : 
> > There is 42.zip out there, 42K total size, which consists of
> > nested zip's and at the end a 4GB file (IIRC 6 levels deep,
> > each level 17 'wide') ... kills most email virus checker.
>
> I did not know it existed. Altavista found this on
> http://www.hanau.net/fgk/downloads/42.zip
>
> Why is this kind of attack not more common? I suspect that most filters
> are vulnerable and yet, they are not listed as such (e.g. on
> securityfocus). And companies continue to use them.

This used to be really common with BBS's back in their day.  The idea 
back then was to get a 1Gb file full of null charactors, compress it 
and upload it to the BBS, that way when the BBS's virus scanner (which 
also uncompressed the file) attempted to check the archive for viruses, 
it would either 1) consume all disk space, 2) keep the system busy for 
ages (some people ran 386's and 486's back then).  The normal thing a 
user would do is upload the file and then hang up, which also leaves 
that dial-up line off-line while the virus scanner is checking the 
contents of the archive.

--
Regards,
Robert Davidson.