Hi, malware collectors of the world. I hope you have had nice holidays!
After a vacational stop I continue the activity of the blog.
Today I will make an entry commenting how many collections you should have and what kind of trader you can be.
I suggest you build two malware collections:
Collection number one would be a collection used to exchange with other collectors. This collection must contain only unique samples; That means one file for each uniquely identified malware, virus, worm or whatever. We will call this collection the 'trading collection'.
Collection number two would be a collection containing all the malware samples you got minus the samples you already have in the collection number one. We will call this collection as the 'main collection'.
You should scan and make new log of trading collection weekly. Depending of the size of this collection and the hardware you use, it should not take more than a few hours to scan it.
Main collection, depending also of its size and the hardware you use, will take much more time than trading collection to scan. You will have to evaluate the amount of time required to scan main collection and decide how often you want to scan it.
The objective of scanning main collection should be to find new unique malwares and add them to trading collection.
There are two types of malware collectors: there is the traditional collector that only exchanges new unique samples and there is a collector that will exchange samples using a hash to know if a sample is new for him.
In the first case, the collector that exchanges for unique samples uses KAV log to know what he has in the collection and what he misses from other trader´s logs.
In the second case, the collector does not need to make KAV logs because he uses MD5, SHA-1 or whatever hash to exchange. This kind of collector would not need to make a trading and a main collection. He only would build a main collection.
Mainly you will meet traditional collectors, people that will exchange for unique samples using KAV log. Some of them will accept to make hash trades also. The problem with hash trades is the amount of information that must be exchanged. Doing hash trades over internet will be really difficult.
See you soon!
Suscribirse a:
Enviar comentarios (Atom)
Interesting idea, but there's a thing I don't understand: how does the hash work? I mean, from what it is calculated, the name of the malware (hence from an antivirus log) or simply from the infected file?
ResponderEliminarIf we are talking about worms and trojan horses there is no doubt here - the hash is calculated from the file itself. But for file viruses (aka "file infectors") this hash thing puzzles me...
The hash is calculated from the bytes contained in the file as you comment and I understand your doubt about viruses.
ResponderEliminarCollectors that trade using a hash do not really care about the "quality" of what they get. Instead they are more interested in the "quantity". So if they get multiple copies of the same virus they don´t really care.