I've done some searching, and I have only found one that does some dns spoofing so far, you also have to be a paid member. If your not following what I'm talking about, in loose dns configurations your firewall might let these packets bypass your firewall. One thing I should say is I haven't seen this used in the wild, but who's the say that it hasn't been used against others? Think of how many more computers would be infected, even possibly through hardware firewalls if the rpc worm always used udp: 53 for the remote listening connection. Examples: If it wasn't restricted by locals ports, and remote addresses it could contact any udp port(0-65535!) on your computer just by using a certain port on their end. If your firewall leaks this much then it sucks, or its not configured correctly. Its usually the latter... UDP Site.Scan: 53 -> Your.IP: 135 Allowed - INFECTED w/out patch UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic Lets say they restrict it to the common local ports, but not by ip address still. They can now scan the udp range of 1024-5000. This would likely be your standard application based firewall. UDP Site.Scan: 53 -> Your.IP: 135 Blocked UDP Site.Scan: 53 -> Your.IP: 1027 Allowed - Possible messenger spam UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic Now you finally restrict it to the local port range, and your dns servers. UDP Site.Scan: 53 -> Your.IP: 135 Blocked UDP Site.Scan: 53 -> Your.IP: 1027 Blocked UDP Dns.Srv: 53 -> Your.IP: 1031 Allowed - Normal DNS traffic Some have stated that they have gotten messenger spam from any listening port of svchost.exe including the ports in the local range, but don't dwell on that please. I'm only stating what I have read elsewhere... If anyone knows of any free online scanners that will use dns spoofing that would be great since I'm having trouble finding any to prove to others how their simple application based software firewall is leaking. This is something that has been known for a long time, and I'm willing to bet that many simple configuration firewalls, even many user configurations won't pass this test. The 1024-5000 range isn't as dangerious as what could be listening on the lower ports like 135, but its still possible it could be used in some way through a listening program.