Thursday, February 12, 2004

under pressure

If you're not opening email attachments from people you don't know, and you run a good antivirus system that you update frequently, you might think you're safe from all harm. Of course, the tricky little buggers who write virii and the script kiddies who want to hax0r your machine are always trying to find thinking-outside-of-the-box tricks to get around existing computer defenses. It turns out that some seemingly innocuous technologies like file compression can be used to harm a system in ways you'd never expect.

An example: when an email arrives at its destination, it is usually scanned for virii. Of course, a virus could attempt to evade the virus scanner by hiding in a zipped file, so modern scanners open up compressed files and scan the contents. Since there are limits to the size of emails that can reasonably be sent, the computational cost of this scanning usually has an upper bound that is reasonable. The weak spot lies in the ability of compression algorithms to compress extremely large amounts of data into a zip file... bzip2 can reduce a (selectively chosen) 100GB data file to 220 bytes.

When the target computer attempts to scan these files, they balloon in size, filling memory and swap space while consuming cycles and finally choking the system. This can be used as a trojan payload for a DOS, or malicious code can be inserted at the end of the file to take advantage of buffer overruns, or a virus could use this method to disable your antivirus system before implanting itself in your system. Antivirus programs are moderately hip to this attack, and you wouldn't intentionally open a zip file of unknown provenance (would you?), so there isn't much of a risk to end users... there's a bit higher risk for mail servers, which could be taken down as part of a DOS attack.

Web browsers can be affected by this as well, since pictures and gzip'ed HTML are compressed too (a suitably chosen file that can be transferred in a few KB can take up 1GB in memory), which can slow or even stop the machine. This is more of an annoyance than a risk... it's just interesting to note how a simple technology can have such unexpected behaviors.