Therein lies the rub. I'm curious -- every medium or large company I'm aware of had Code Red on the inside of the firewalls. What happened this time? Did it get inside? If so, has anyone analyzed how?
I haven't seen any wide spread behind the firewall exposure so far. I think unlike code red / nimda, there are a few factors that help: - most people with firewall block 1434. This is not true for port 80, as the web server is usually intended for the public. - the worm is memory resident. Road warriors that are infected at home or while traveling are unlikely to introduce this worm into the company LAN as they come to work on Monday. - this worm only uses port 1434 UDP. Nimda made it past a lot of firewalls and NAT devices by spreading via e-mail and web clients. -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org