Gridinsoft Logo

Zip Bomb - Definition, Types & Prevention

A Zip Bomb (decompression bomb) is a malicious archive file designed with highly compressed repetitive data that can crash programs or systems when decompressed.

Download Trojan Scanner & Remover

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

  • Gridinsoft Cyber Security
» Zip Bomb
What is a Zip Bomb?

What is a Zip Bomb?

April 10, 2025

A zip bomb (also known as a decompression bomb or death archive) is a malicious archive file containing massive amounts of highly compressed repetitive data. Despite its small size, when decompressed it expands exponentially, overwhelming system resources and potentially causing crashes or denial of service. While not directly harmful to data, zip bombs can disable security software, creating vulnerability windows for more dangerous attacks.

What is a Zip Bomb?

A zip bomb is a specifically crafted compressed file, usually just kilobytes in size, that expands to an enormous volume when decompressed—often gigabytes, petabytes (millions of GB), or even exabytes (billions of GB). This resource exhaustion attack exploits compression algorithms to create archives with extreme compression ratios.

When a program such as an antivirus scanner or file extractor attempts to process these deceptively small files, the decompression process consumes excessive memory, disk space, or processing power, potentially causing system crashes or rendering the computer temporarily unusable.

Unlike most malware, zip bombs don't contain malicious executable code—they're dangerous solely because of their structural properties. This makes them particularly interesting from a cybersecurity perspective as they exist in a gray area between malicious software and legitimate (but problematic) files.

Historical Context

The first documented zip bomb incident occurred in 1996 on Fidonet, an early bulletin board system. An unsuspecting system administrator opened a seemingly innocent compressed file, which then consumed all available resources on the server, causing a system-wide crash.

Since then, zip bombs have evolved from simple pranks to sophisticated tools used in more complex attacks, including as components in anti-forensic techniques to hinder malware analysis.

How Zip Bombs Work

Zip bombs exploit fundamental principles of data compression algorithms. Here's how they function:

The underlying technique relies on creating files with highly repetitive data. When such repetitive data is compressed, compression algorithms can represent it very efficiently. For example, a file containing a million zeros can be compressed extremely efficiently because the algorithm only needs to store "zero × 1,000,000" rather than storing each zero individually.

A basic zip bomb might contain a single large file with highly repetitive data. More advanced versions implement recursive nesting, where compressed archives contain other compressed archives, creating multiple decompression layers. Each layer expands significantly when decompressed, leading to an exponential growth effect.

Understanding Compression Ratios

Compression is the reduction of the number of bits required to represent data. The effectiveness of compression is measured as a ratio:

Compression ratio = Uncompressed size ÷ Compressed size

For example, if a 100MB file compresses to 20MB, the compression ratio is 5:1.

Normal files typically achieve compression ratios between 2:1 and 10:1. Zip bombs, however, can achieve ratios of 1,000:1 or even 1,000,000:1 by exploiting patterns and recursion.

| xxxyyyyxxxyxxxyxxx

This string is 18 characters long with repetitive "xxx" patterns. Using a simple substitution:

| $yyyy$y$y$
| $=xxx

This compressed representation requires only 15 characters. Zip bombs apply this principle at extreme scales with nested layers of compression.

Zip Bomb Structure: Layers and Expansion Layer 1 Layer 2 Layer 3 Layer 4 L5+ 42 KB 10 MB 5 GB 100 GB PB+ Decompression Layers 1 2 3 4 5+ Size (logarithmic)

Archive-based threats and compression ratio visualization

Types of Zip Bombs

Zip bombs have evolved over time, with several distinct types now recognized in the cybersecurity community:

1. Traditional Zip Bombs

These are the classic implementation that contain highly repetitive data in a standard ZIP format. The most famous example is "42.zip," which is only 42KB compressed but expands to 4.5 petabytes when fully decompressed.

2. Nested Zip Bombs

These employ a recursive structure where ZIP files contain other ZIP files, creating multiple layers of compression. Each layer expands significantly, creating an exponential growth pattern. The nesting might be 5-6 layers deep, with each layer containing multiple copies of the next layer.

3. Quines

A ZIP quine is a ZIP file that contains a copy of itself, creating a potentially infinite recursion loop during extraction. When processed by poorly designed decompression algorithms, this can cause infinite loops that exhaust system resources.

4. Format-Specific Bombs

Beyond ZIP files, similar compression bombs exist for other formats:

  • RAR bombs use the RAR compression format
  • XML bombs exploit XML entity expansion
  • PDF bombs leverage PDF compression mechanisms
  • PNG bombs use the PNG image format's compression capabilities

5. Polymorphic Zip Bombs

These advanced zip bombs change their structure to evade signature-based detection by antivirus software while maintaining their harmful decompression properties. By varying the internal structure or adding random data, they can bypass simple detection methods.

Real-World Examples

42.zip - The Classic Zip Bomb

The most infamous zip bomb is "42.zip". Despite weighing only 42 KB compressed, it expands to 4.5 petabytes (4,500,000 GB) when fully decompressed.

42.zip employs a 5-level recursion system of 16 nested zip files. Each zip file at the lowest level decompresses to a 4.3 GB file of zeros. The construction uses standard deflate compression, making it compatible with most zip utilities.

This particular zip bomb has become a standard test case for antivirus and file scanning solutions to ensure they can handle potentially malicious archives safely.

The Billion Laughs Attack

While not strictly a zip bomb, the "Billion Laughs" attack (also known as XML bomb) operates on similar principles. It's an XML file that uses entity expansion to create exponential growth during parsing. When processed, it can consume all available memory on a system.

ZBleed (2020)

A more recent innovation, ZBleed, combined zip bomb techniques with memory corruption vulnerabilities in certain decompression libraries. Rather than simply consuming resources, these could potentially enable arbitrary code execution when specific vulnerable parsers processed them.

bamsoftware/zip-bomb

Researcher David Fifield created a sophisticated zip bomb that achieved unprecedented compression ratios—10TB of data compressed to just 42KB—while remaining compatible with standard ZIP tools. This project demonstrated advanced techniques including overlapping compression and strategic use of ZIP's storage mechanisms.

Risks and Dangers

While zip bombs don't contain malicious code like trojans or ransomware, they pose several significant risks:

Primary Threats

  • Denial of Service: By consuming all available system resources (memory, CPU, disk space), zip bombs can render systems temporarily unusable.
  • Security Software Disruption: They can be used to disable or crash antivirus scanners, creating a window of vulnerability for other malware to exploit.
  • Data Processing Systems Attacks: Systems that automatically process compressed files (like email servers, document management systems) are particularly vulnerable.

Secondary Risks

Zip bombs are often used as components in more sophisticated attack chains:

  • Anti-Forensics: Attackers may use zip bombs to hinder malware analysis by crashing forensic tools.
  • Distraction Techniques: A zip bomb may be deployed to divert attention and resources during a more targeted attack elsewhere on the network.
  • Security Testing Evasion: They may be used to bypass security systems that scan file uploads or attachments.

Warning Signs and Detection

Detecting potential zip bombs before they cause damage requires attention to several warning signs:

Characteristics of Suspicious Archives

  • Unusually small ZIP files claiming to contain much larger content
  • Extreme compression ratios (compressed size is thousands or millions of times smaller than claimed uncompressed size)
  • Nested archives with multiple layers of compression
  • Archives with recursive structures or self-references

System Behavior During Decompression

When a zip bomb begins decompressing, you may notice:

  • Sudden excessive memory usage
  • Rapid disk space consumption
  • System becoming increasingly unresponsive
  • Decompression progress appearing unusually slow or stalled

Technical Detection Methods

Modern security tools use several techniques to identify potential zip bombs:

  • Metadata Analysis: Examining the header information of compressed files to identify suspicious compression ratios
  • Controlled Decompression: Partially decompressing files in a sandboxed environment with strict resource limits
  • Pattern Recognition: Identifying common structures used in known zip bombs
  • Recursion Limiting: Restricting the depth of nested archives that will be processed

Prevention

Protecting systems from zip bombs requires a multi-layered approach:

For Individual Users

  • Keep your antivirus software updated with the latest definitions
  • Be cautious about opening compressed files from untrusted sources
  • Use extraction tools that implement resource limitations and bomb detection
  • Verify the expected size of compressed archives before extracting them
  • If possible, scan compressed files with security tools that can detect zip bombs safely

For System Administrators

  • Implement file upload size restrictions on web applications
  • Configure email gateways to reject or quarantine suspicious compressed attachments
  • Set resource limitations on decompression processes in production environments
  • Use advanced malware detection systems that can safely identify compression bombs
  • Implement firewall rules that block known zip bomb signatures

For Developers

When implementing file decompression functions, always:

  • Check compression ratios before decompression
  • Implement hard limits on the amount of memory and disk space that can be used during decompression
  • Limit recursion depth for nested archives
  • Set timeouts for decompression operations
  • Process archives in a sandboxed environment with limited resources

Microsoft's Best Practices for Handling Archives

According to Microsoft Security documentation, organizations should:

  • Implement preset decompression limits in all file processing systems
  • Configure detection for archives with compression ratios exceeding 1000:1
  • Use dedicated detection systems for archive-based threats
  • Block or quarantine suspicious archives at email and web gateways

While the classic zip bomb has become less effective against modern systems due to improved detection and prevention mechanisms, variations continue to emerge as attackers develop new techniques. By understanding how these attacks work and implementing proper safeguards, users and organizations can protect themselves from these resource exhaustion attacks.

For more information on related threats, explore our articles on code injection, malware types, and DNS tunneling techniques. If you're concerned about potential malware on your system, consider using our Trojan Scanner & Remover tool which is designed to detect and remove various threats while being resistant to anti-analysis techniques like zip bombs.

Frequently Asked Questions

Can Zip files have viruses?
Zip files are not dangerous, but it is essential to be careful when opening files that you get from unknown sources or the internet. Some zip files contain zip bombs, malware, or other sly things. To be sure that the thing you’re going to launch is OK, scan the file with anti-malware software.
Are zip bombs harmless?
Zip bomb makes the system non-functional, as it takes as much CPU power as possible. Even if the unzipping process is completed, you will likely suffer from the lack of disk space. But to make this happen, various antivirus programs can detect the danger and alert the user about the zip files that supposingly contain bombs.
How big is the biggest zip bomb?
There is one of the well-known zip bombs called 42.zip. This zip file consists of 42 kilobytes of compressed data and five layers of attached zip files in sets of 16. Each lower-level archive contains a 4.3-gigabyte file that contains 4.5 petabytes of uncompressed data. 1 petabyte is 1000 terabyte - much more storage space than an average computer system has. Flooding it with 4500 terabytes of data means immobilyzing it.