:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::[ Porting Anti-Techniques to Linux ]:::::::::::::::::::::::::::::: ::::::[ by Perforin - [vxnetw0rk] ]:::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::[ Intro ]::::::::::::::::::::::::::::::::::::::::::::::::::::::::: I wonder why there's no more *NIX malware around. And if you get to see *NIX malware code you are likely to see no Anti * Techniques. Cmon guys let's change this. Here's one popular technique to avoid interception by certain tools like Wireshark, tcpdump ... This routine checks the name of all running windows in your session against a blacklisted name. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::[ Code ]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::: #include #include /* * Simple Anti-Tool Engine * * Uses window title identification to spot tools like Wireshark... * * * Compiling: gcc xanti.c -o xanti -lX11 * * by Perforin - vxnetw0rk * */ int main (void) { int numkids, i, mapped, screen; char *win_name; char *blacklist = "wireshark"; Window r, p, *kids; XWindowAttributes attr; Window root; Display *dips; dips = XOpenDisplay(0); screen = DefaultScreen (dips); root = RootWindow (dips, screen); XQueryTree (dips, root, &r, &p, &kids, &numkids); for (i = 0; i < numkids; i++) { XGetWindowAttributes (dips, kids[i], &attr); if (!XFetchName (dips, kids[i], &win_name)) { XFree (win_name); } else if (win_name) { if (strcmp(win_name, blacklist) == 0) { printf ("%s is running!\n", blacklist); exit(0); } else { XFree (win_name); } } } } :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::[ Outro ]::::::::::::::::::::::::::::::::::::::::::::::::::::::::: This technique is often used by windows malware. We could also check for blacklisted processes... that's no big deal. For this technique the code above is not even necessary. We could do this with build-in tools. xprop -name "Wireshark" It returns an error if wireshark is not running. You gotta love *NIX :) I hope to see a progress in *NIX malware because it _is_ the future. Smartphones, Tablets, Arduino, stereos, TV's and for gods sake they already connected coffe machines to the LAN. Most if not everything I mentioned here runs on some *NIX based OS. The time has come to write more *NIX malware. I promise you that this will be fun! :D Greetings Perforin