Trojan-ArcBomb

These Trojans are archives designed to freeze or slow performance or to flood the disk with a large amount of “empty” data when an attempt is made to unpack the archived data. So-called archive bombs pose a particular threat for file and mail servers when an automated processing system is used to process incoming data: an archive bomb can simply crash the server.

This type of Trojan uses three types of “bomb”:

  • malcrafted archive headers
  • repeating data
  • identical files in the archive.

Malcrafted archive headers or corrupted data in an archive can cause a specific packer or unpacking algorithm to crash when processing the archive contents.

The large size of files that contain repeating data make it possible to pack the file into a small archive (i.e. 5GB of data can be packed into a 200KB RAR or a 480KB ZIP archive).

A large number of identical files in an archive will also have very little impact on the size of the archive when they are packed using special methods (for example, there are ways to pack 10100 identical files into a 30KB RAR or a 230KB ZIP archive).