Re: Antivirus scanner DoS with zip archives

[Aycan Irican <aycan () mars prosoft com tr>]

On Thu, 21 Jun 2001, Robert Davidson Security wrote:

> On Tue, Jun 19, 2001 at 08:53:54PM +0200, Michel Arboi wrote:
> > --- Markus 'FvD' Weber <fvd () ira uka de> a ?crit?:
> > > There is 42.zip out there, 42K total size, which consists of
> > > nested zip's and at the end a 4GB file (IIRC 6 levels deep,
> > > each level 17 'wide') ... kills most email virus checker.
> >
> > I did not know it existed. Altavista found this on
> > http://www.hanau.net/fgk/downloads/42.zip
> >
> > Why is this kind of attack not more common? I suspect that most filters
> > are vulnerable and yet, they are not listed as such (e.g. on
> > securityfocus). And companies continue to use them.
>
> This used to be really common with BBS's back in their day.  The idea
> back then was to get a 1Gb file full of null charactors, compress it
> and upload it to the BBS, that way when the BBS's virus scanner (which
> also uncompressed the file) attempted to check the archive for viruses,
> it would either 1) consume all disk space, 2) keep the system busy for
> ages (some people ran 386's and 486's back then).  The normal thing a
> user would do is upload the file and then hang up, which also leaves
> that dial-up line off-line while the virus scanner is checking the
> contents of the archive.
>
> --
> Regards,
> Robert Davidson.

oh yes, the old days ...I used pcboard on my BBS and the pfed file
integrity checker can run any batch job when a line starts with '@'.
It's an old vulnerability i know.

Maybe we should put disk quota for the user that runs virus scannner
thingy.