In this chapter, we introduced the concept behind client honeypots. The idea is to abandon the complete passive approach of normal honeypots that commonly offer services that can be exploited by an attacker. Instead of passively waiting for the exploit, a client-side honeypot actively searches for malicious content. This can be achieved in different ways, and we introduced two fundamental different methodologies. With the low-interaction variant, we use a signature-based approach — for example, we search for malicious content with known patterns. This has the advantage that we can do this on a large-scale basis. Millions of URLs can be examined each day, searching for new trends and techniques.
In contrast to this, the high-interaction variants do not require signatures. Instead, these client honeypots telecommand a piece of vulnerable software and are normally installed on a vulnerable machine. We need to closely monitor the system to detect changes to the system that indicate a successful exploit. Even 0day attacks can be attacked this way. Early success reports indicate that this is the case, and several research projects are currently working in this area.