Over the weekend of May 2, 2003, content on one of the ISS X-Force's honeypot research servers was modified by USG. This server, X-Force Internet Watch (http://xfiw.iss.net/), was a publicly available web server on the Internet. The server's official and publicly promoted purpose was to make available to university students a free version of BlackICE PC Protection. The X-Force Internet Watch server was specifically selected to be a honeypot because of the association with university students and the well-known fact that students actively hack systems. The server was configured to include numerous vulnerabilities, including several well-known, older vulnerabilities.
The X-Force immediately identified the activity and initiated detailed monitoring. Once the X-Force completed this monitoring, the honeypot server was disabled to perform standard X-Force malware analysis. As is typical, this activity has resulted in the identification of new hacking tools. The X-Force is currently finalizing their investigation and working to include added protection in upcoming XPUs for our products. Once the X-Force has completed their investigation, the X-Force Internet Watch server will be made available, but will no longer serve as a honeypot.