1.)  Even after spendng much time looking at it I am still unsure of its true functionality.  It appears to grab all the info it can about the target machine, alter some files and send the results off.  I was unable to see what exactly all the system calls and conditional loops were doing.  Everything I was able to see was basiscally at the system call level and observed filesystem changes.  This gave me a vague sense of what was happening but no reall understanding of the contents of the reads, writes and socket calls.   See the analysis section for ltrace and linux trace toolkit output.

In general the purpose is to allow remote execution of code on a previously comprimised machine.  It opens a socket and waits.  A properly formated message will result in the execution of code on the machine.  Most likely the message gives the code to be executed.  The test data released for the challange resulted in a large number of files being read.  The filesystem was modified.  Another socket was created, most likely to communicate the results of the data collected.  It seems related to rpc, from the strings contained in the binary and strings in the network output it generates.  See analysis for details on which files are opened.

2.)  Can not determine the limits of what it has modified on the running system.  It appears to read gather information from numerous locale config files.  Also unsure of its limitations for accepting instructions to run and the output it can generate.  

3.)  I was unable to determine the ecnoding scheme.

4.)  The test network traffic from the target machine showed some strings with rpcinfo output in them.  Snort rules could be generated to detect these strings and generate a warning.  

5.)  It is stripped and statically linked.  It forks repeatedly.  I was unable to debug it with gdb or fenris.  Although this failing may be more to do with my unfamiliartiy with debugging.  I found the object dump, ptrace and the linux trace toolkit the most useful.  


6.) The libraries used by this binary matched google searches for 2 programs.  Safeload and an inetd in lrk4.  My lack of understanding the specifics of this program prevents me from making further comparisons.