VCM4: Raiders of the lost ark-ive
Raiders of the lost ark-ive
by VirusBuster
What is the mistery about the ark-ive? What does it contain?
The secret is now unveiled... the ark-ive has a virus trading etiquette.
Once upon a time in a cyberland, far, far away... well, not so far away it was in #virus EFnet, a group of virus collectors used to meet at IRC to exchange viruses. They (Poltergst, ShadSeek, Galar, omega666, jtr, Daniele Fogazzi, ..) initiated what we know nowadays as virus trading and they were the first "virus collectors" as we understand that term today.
In that time, around 1993-1994, the main antivirus used to exchange was F-Prot. Dr. Solomon was also popular and AVP was the new kid on the block. The used tool to exchange was Poltergst's VirSort that just had five or six functions.
F-Prot antivirus used to update every week, not daily as happens now and "false positives" was something known by collectors but "fakes" was not.
Everything was fun and happiness for collectors.
New collectors were accepted and helped by older collectors, giving them nice ratios. Nobody was banned for no reason at least if Retch did not have the period. }:->
What did change from those times? That is something to be discussed, but my opinion is that for some collector virus collecting became a competition to see who had more unique samples and that fucked the fun. I remember how some people that used to be friendly changed when they knew I had Uruguay #10 and they could not get it from me.
Apart that, nowadays there are several factors that make virus trading a bit more complicated than it used to be: daily antivirus updates or fakes.
Since some time ago virus collectors are needing, let's call it a "virus trading etiquette". A set of rules to make trades better and easier.
This document pretends to be a group of suggestions, not of rules, but if all collectors follow them, things will work much better.
Section 1: Antivirus
Most of the times, when you receive your request you notice that one or more samples are not detected or detected with other name this mean you are getting samples you may not need. Why does it happen? There are several explanations: Different antivirus signatures, different command lines, ...
How to solve this situation?
All collectors should try to use the same antivirus signatures. This means everybody should update the same day of the week and do not update on any other day. Fridays after KAV's weekly update has been released seems to be the best option.
Also is necessary that all collectors use the same command line to run KAV. Right one would be:
AVP32 /S /W /Q C:\PATH
Due the different time zones and the fact that KAV updates the antivirus really often, may happen that when a collector updates KAV, a daily update was released. How to solve this? Replacing daily.avc with an empty one that way only the weekly is used. (an empty daily.avc was included on this zine)
In your site or whatever the place you post your logs make clear when they were created. You will save some downloads giving this information.
Section 2: Fakes
It gets on my nerves that there are known fakes floating around in virus collections since years ago. People delete them from collections using e.g. Fake Scanner, and two weeks later they have the fakes again.
How to solve this situation?
Running a tool to remove fakes over the collection one time and running the tool (updated with last fake definition database) over every request he may get.
That way in a matter of weeks all known fakes would disappear from virus collections.
If you keep getting fakes from the same collector it may mean he is not removing fakes and you should stop trading with him.
Section 3: Ratios and exchanges
What is the best ratio?
That is something that every trader must decide. My suggestion is you trade 1:1 with most collectors and only using higher ratios with trustable new collectors.
What is the best way to trade?
If you consider that trading viruses and worms for malware is ok, go on. I suggest you exchange viruses for viruses and malware for malware.
Section 4: Public collection vs. private collection
Some years ago the situation was chaotic. There were collectors that used to have up to three logs: public, nosend, rare nosends. But the funny thing was that they were exchanging everything.
One day, after talking with most of the main collectors I decided it was time to stop with that masquerade: collectors must put all tradeable stuff into one single log. Any stuff they can not trade (real nosends) should be kept apart.
Logic posed and since then traders have been using just one log.
Well, there are still traders having an additional log with stuff they call "nosends" but they are willing to trade. Do not get wrong if it can be traded, it is not a "nosend".
If you receive samples with the condition of not sharing them, think it twice before accepting. If you accept you can not trade them neither in two weeks nor one year. Keeping your word is the way to be respected by other people: Rome does not pay traitors.
Section 5: Unclear and other situations
If you are not sure of something the best thing you can do is ask for advice to old collectors. If you consider you have been fooled by other collector pass the word among traders to avoid other collectors are fooled.
