Abstract
Client honeypots are typically implemented using some form of virtualization to contain malware encountered by the client machine. However, current virtual environments can be detected in multiple ways by malware. The malware can be executed from within a browser or require escaping from the browser to detect the virtualization. In many cases, detection is accomplished by a simple test. Malware can then modify its behavior based on this information. Thus, an implementation of client honeypots which does not depend on virtualization is needed to fully study malware.
