Watcher

[NoahGWood]

It appears 'watcher' is a headless packet sniffer used for spying.
The first few lines makes calls to /lib64/ld-linux-x86-64.so.2 to find a process ID; next it makes a call to libc.so.6 where it opens up some sort of connection, either to localhost or to a remote server (further disassembly required).

this program was probably written in 2002 or so (judging by the glibc version), definitely before 2011 as libc.so.6 stopped being hard-coded after that afaik.

The strings that give it away as a sniffer are:

monitor_type
set_prismhdr
forceprismheader
forceprism
prismhdr
rfmontx
monitor

[Atavic]

#34 (comment)

[ThisLimn0]

I've looked at watcher-linux-x86_64_v.3.1.0.1 and watcher-linux-x86_64_v.3.3.0.1

they seem to be stealthy network traffic sniffer agents that run as daemons, they capture from a specified interface in promiscuous mode, process /encode the data and either send the data to a remote server or log it locally.

Differences between 3.1.0.1 and 3.3.0.1:

Raw socket setup: v3.1.0.1 opens a legacy raw socket with socket(AF_INET, SOCK_PACKET(10), 0x300), binds by interface name using a sockaddr with sa_family=0 and the name in sa_data, then calls bind().
It toggles promiscuous mode via ioctl(SIOCGIFFLAGS/SIOCSIFFLAGS) setting IFF_PROMISC (0x100), special-cases kernel “2.0” to bump capture size to MTU+256, and uses no ring buffer or BPF, relying on the kernel socket buffer to capture everything.
v3.3.0.1 switches to the modern packet socket, creating socket(AF_PACKET, SOCK_RAW or SOCK_DGRAM, protocol) (and SOCK_STREAM in TCP mode) based on a mode flag, enabling UDP-based capture/send that v3.1.0.1 did not have.
It enables promiscuous mode via PACKET_ADD_MEMBERSHIP(PACKET_MR_PROMISC), sets up a PACKET_RX_RING, attaches a BPF with SO_ATTACH_FILTER from a built-in sock_fprog, and makes the socket non-blocking with fcntl() with an efficient select() loop.

Data Encoding & Security:
Both versions post-process captured packets by Base64-encoding them and applying keyed cryptography before output.
In v3.1.0.1, network mode assembles and sends the encrypted message over TCP, while logging mode writes timestamped records to a local file.
v3.3.0.1 strengthens by embedding the crypto context, deriving 256-bit session keys, encrypting the payload with proper padding/IV handling, and zeroizing key material after use. v3.1.0.1 uses heap memory for crypto buffers, v3.3.0.1 moves this into static buffers inside its structure.
v3.3.0.1 has a cleanup logic to remove promiscuous mode and possibly other interface settingss on exit as a stealth measure.

Data Transmission: Both versions primarily transmit to a remote server over TCP, but the newer build adds broader transport and connection control.
In v3.1.0.1, the watcher always opens a TCP socket with socket(AF_INET, SOCK_STREAM, 0), applies a single ambiguous setsockopt(fd, SOL_SOCKET, 13), connects to the server sockaddr stored at struct offset 0x28, sends via a custom wrapper, then performs shutdown(SHUT_WR), waits for a 1-byte acknowledgment from the server, and closes the descriptor.
v3.3.0.1 chooses the socket type in a function based on a parameter, creating either a TCP (SOCK_STREAM) or UDP (SOCK_DGRAM) socket, which enables operation in connectionless environments and adds flexibility for egress.
It also supports explicit source binding using two sockaddr slots, offset 0x28 for the local endpoint and 0x38 for remote.
Additional behavior in v3.3.0.1 includes conditional SO_REUSEADDR/SO_REUSEPORT for UDP, low-latency TCP options such as TCP_NODELAY in stream mode, a send path that mirrors v3.1.0.1 or integrates with its encryption stage, and a post-send acknowledgment check implemented with select() (10-second timeout) followed by a 1-byte read() to prevent indefinite blocking prior to close.

tl;dr All core capabilities from v3.1.0.1 persist in v3.3.0.1, the changes are mostly improvements, hardening and additions in functionality.