The Challenge:

1. What is the blackhat attempting to do with his command line syntax?
2. What does the tool accomplish?
3. How does the tool work?
4. Is this tool a worm, or would you classify it as something else?
5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified?

Bonus Question:
What information can you obtain about who is using or created the tool?

The Results:

Writeups from the Honeynet Project members.

This month's tool is an auto-rooter, an automated to that allows individuals with only minimal skill sets to quickly scan, exploit, and control thousands of systems. It is tools like these that are causing many of the scans you are detecting.

• Max Vision's writeup for the March's Scan of the Month.

Writeup from the Security Community

This month's response was outstanding, we had 45 submissions. We tried to be as far and throrough as possible with our reviews, but please keep in mind we have real lives/jobs too, so we could not dedicate as much time as we would have liked to. Alot of the submissions had the same excellent techncial content, but some of the submissions were easier to read then others. In such cases, we selected the docs easier to read. If you feel we missed your submission, or do not understand why it was judged the way it was, drop us an email. Since we had so many submissions, we have broken the entries into three categories, Top Four, Top Ten, and Top Twenty. Entries in the Top Ten and and Top Twenty list are not listed in any specific order. Now, on to the goods!

• Andreas Schuster
• Niels Heinen
• Guillaume Filion
• Marlon Jabbur
• Jason Lee
• Steve Shockley
• wait3r
• Kris Kendall
• Catalin Ionescu
• Chad Johnston
• Adam Bernau
• Peter Kosinar
• John K. Riggleman Jr.
• Neil Desai
• Chuck Douglas
• Gregory Maxwel
• Nayfield, Rod
• Corrao Mark 1Lt 82 CS/SCB
• Derek Kwan
• Bogdan Calin