Honeypot Clients (HoneyClients), HoneyC, Shelia, The Strider HoneyMonkey Project (Microsoft)

Leading Honeypots emulate servers and services. They act as servers and wait passively to be attacked. HoneyClients are another type of Honeypots which actively search malicious servers that attack clients. Many malicious web servers host malicious exploits which are targeted against specific web browsers. Once the web client connects the malicious web site, it can download and install malware inside victim's machine. HoneyClients crawl websites, and through various methods, determine the websites that attack the web browser, download these malwares for analysis.

Leading HoneyClients are


HoneyC is a low interaction client honeypot / honeyclient that allows to identify malicious servers on the web. Instead of using a fully functional operating system and client to perform this task (which is done by high interaction client honeypots, such as Honeymonkey or Honeyclient), HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. HoneyC is expandable in a variety of ways: it can use different visitor clients, search schemes, and analysis algorithms.


Shelia is an intrusion detection system for the client side. It comes with a client emulator that scans through a mail folder specified on the command line. Typically, this would be the spam folder. In this folder the client emulator is capable of following every url and opening every attachment.

The Strider HoneyMonkey Project (Microsoft)

Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the computers of unsuspecting users.

Related Tutorials