Now let’s talk about some interesting malware that we discovered while operating honeyclients, along with some of the difficulties in detecting it.

Most malware appears to be financially motivated. Thus, we saw a lot of new malware variants that were gaming trojans, where the user’s game account information is sent to the attacker’s machine. Another type of malware that we saw often was banking trojans, which allow the attacker to obtain access to the victim’s online banking account credentials. But we have even seen politically motivated malware, where the attackers attempt to evangelize their political message by installing and/or printing HTML files on the user’s desktop.

Perhaps the most interesting example of malware we’ve seen is one that is able to detect that we’re using VMware and proceeds to shut down the guest operating system within seconds. Plenty of malware have the ability to detect virtual platforms such as VMware. Are there other honeyclient implementations that utilize different virtualization platforms? This leads us to the next section.

As I’ve explored the client-side exploit landscape over the past several years, it has become clear to me that attackers are extremely opportunistic. The bulk of client-side exploits today target Microsoft’s IE 6 browser, but this can change as market shares shift. Many people ask me whether it’s a good idea to use Mozilla Firefox instead. My answer is always something like, “Sure, but keep in mind that if everyone ...