* This is the modus mailing list * Germanys most renowned computer magazine CT reports the possibility of DOS attacks against mail servers in form of bzip2 compression bombs. Hereby large files like 2 GB (not MB) of 0-bytes are compressed into very small bzipped2-files to slow down the anti-virus engines of mail servers into a crawl if they have to uncompress the file to check for viruses.
The problem seems to be that bzip2 does not include any length info in the zip-header, so unpackers have to unpack "into the blue". Original report: http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt Affected versions (from the original report) ================== * kavscanner of Kaspersky AntiVirus for Linux 5.0.1.0 (probably all versions since 4.5) * vscan of Trend Micro InterScan VirusWall 3.8 Build 1130 (probably other versions, too) * uvscan of McAfee Virus Scan for Linux v4.16.0 (probably other versions, too) Perhaps software from other vendors, too How do the Modus AV scanning engines handle bzip2 files? As we have to run the AV scan first before the attachment scan (to avoid blocking reports to forged virus addresses), this problem may pose a serious threat to us. Kai Fiebach Musikhochschule Luebeck, Germany http://www.mh-luebeck.de ** To unsubscribe, send an Email to: [EMAIL PROTECTED] with the word "UNSUBSCRIBE" in the body or subject line.
