Re: [ISN] .zip files putting the zap on antivirus products

From: InfoSec News (isn@private)
Date: Fri Feb 13 2004 - 06:19:26 PST

  • Next message: InfoSec News: "[ISN] Cisco develops WLAN security protocol to defeat password attacks"

    Forwarded from: Russell Coker <russell@private>
    
    On Thu, 12 Feb 2004 23:44, InfoSec News <isn@private> wrote:
    > Forwarded from: Cuadros Alvaro <acuadros@private>
    >
    > I woudn't consider that as a serious problem, Zipping ( Commpressing
    > ) a file has its limits you can not compress beyond what the
    > compression algorithms allow you to. Just try to zip or rar a file
    > 20 times , the result is going to be the same at the end than the
    > one you had in the third round.
    
    It is a serious problem.  Files comprised of only zeros compress
    really well.  The compression ratio is determined by the block size
    for run length compression and the size of the encoded blocks.  A
    quick test with gzip (which AFAIK implements similar algorithms to
    zip) compressed 100M of zeros to just under 100K (better than 1024:1
    compression).
    
    For business email 5M-10M attachments are common, such attachments
    would permit 5G or 10G of compressed data.  Many virus scanners don't
    have 10G of disk space free.  Also most virus scanners are configured
    to scan messages in parallel, so if 50 messages with 10G of compressed
    data were sent through at the same time it will probably stop any
    anti-virus system.
    
    I also did a test of bzip2 compression, it compressed 100M of zeros to
    120 bytes...
    
    -- 
    http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
    http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
    http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
    http://www.coker.com.au/~russell/  My home page
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Feb 13 2004 - 10:09:11 PST