How malware collectors exchange

Hi, malware collectors of the world!

Today I will explain the basics of how malware collectors exchange, but before I must explain a few things to understand why things are done the way they are done.

Many years ago someone, I don´t know who had the idea, thought that to exchange viruses the best way was to use logs (reports) created by antivirus products to know exactly what everyone had in his collection. As antivirus usually give an unique identification for every variant of every virus family this was a good method. So collectors picked 3 different antivirus (Dr. Solomon, F-Prot and AVP) and they used the logs created with them to exchange.

Obviously it was necessary to create tools to process logs: create databases from your own logs containing unique variants, generate reports with the missed stuff from the logs of other traders, .... but that´s stuff for other day.

A few years later Dr. Solomon became very slow scanning and after a time it was dropped by collectors as common used antivirus for the exchange. F-Prot was also dropped because its ability to detect unique variants decreased. So AVP remained as the only one commonly used antivirus to exchange.

Even if AVP is the best antivirus detecting known viruses and malwares, collect using only one antivirus was not a good idea so for a while collectors used from time to time other antivirus to exchange: Nod32, BitDefender, AVG, McAfee, ...

Two years ago, more or less, the amount of detected malware started to increase exponentially. Since then using several antivirus to exchange became a very difficult task for collectors having big collections. Lots of scanning hours would be required to generate logs. That´s why usually only AVP is used to exchange between big collectors.

As anecdote I should comment that never ever a woman became a known virus collector and there were only a few virus writers, being probably the best known one Gigabyte.

Every collector may have his own rules to exchange, but everybody use KAV 4.5 Personal Pro in english to generate the log of his collection. You can find it here.

Most collectors update KAV definition databases from here. This is done because identification names change often. Two collectors using different KAV defs may request stuff they already have. The solution to avoid this situation is using same defs.

Years ago collectors may generate new logs every day. Actually that´s not possible because the time required to scan must be up to 48 hours if not more depending of the hardware resources. That´s why nowadays collectors generate one log per week so exchanges are done once in a week.

Between big collectors the exchange ratio is 1:1. It means that for every file you send, you receive other. Many years ago the used ratio with small collectors may be 3:1 or a different one depending of the trader.

Other golden rule is that the most veteran trader receives his request before sending the request of the other trader.

Personally I have next rule: I exchange viruses/worms for other viruses/worms and malware for malware.

And that´s basically how collectors exchange.

Resuming:

1) Update KAV defs.

2) Generate log with KAV 4.5

3) Create database from log.

Then you are ready to get a log from other trader and verify if you need anything from him. If you do, you send your log to the other trader so he can check if he misses something from you.

Pretty simple but effective.

It´s good idea that before starting to transfer files both traders are sure they are using same defs.

Next blog entries will be dedicated to present the tools commonly used to collect and keep the collection in good shape.