Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic

What is claimed: 1. A computer implemented method of detecting delayed activation malware involving manipulating time, the method comprising: hooking, by a monitoring agent of a time controller included in a first layer of a functional stack of a run-time environment corresponding to a kernel mode layer of a guest operating system of a virtual machine, a time-related check from a process executing in the run-time environment to process a specimen, the time-related check indicative of potential delayed activation malware; generating, by time-dilation logic of the time controller included in a second layer of the functional stack of the run-time environment in response to the time-related check, a false time value that is later than real time so as to indicate a greater length of time has transpired than has actually transpired, the generating of the false time value comprises manipulating a time value available to the guest operating system to yield the false time value that causes a predetermined delay period occurring in the guest operating system to elapse faster than in real time; and monitoring activity of the process in the run-time environment in response to the supplied false time value to detect anomalous behavior indicative of malware. 2. The method of claim 1 , wherein hooking the time-related check comprises hooking a software call from the process to obtain a current time, and communicating information regarding the hooked software call to the time-dilation logic. 3. The method of claim 2 , wherein the software call is directed to an executing software module in a third layer in the functional stack of the run-time environment that is different from the first layer. 4. The method of claim 3 , wherein the software call comprises a system call and the executing software module comprises an operating system. 5. The method of claim 4 , wherein the run-time environment comprises a virtual environment provisioned with a guest software image comprising the process and the operating system. 6. The method of claim 3 , wherein the executing software module comprises a hypervisor. 7. The method of claim 1 , wherein the predetermined delay period comprises a predetermined period of time of execution of the process. 8. The method of claim 1 , wherein the second layer comprises a hypervisor layer. 9. The method of claim 8 , further comprising: communicating hooking of the time-related check from the monitoring agent in the kernel mode layer to the time-dilation logic located at least in part in the hypervisor layer of the virtual machine; and the manipulating of the time value includes altering an interrupt sent to a kernel scheduler included in the kernel mode layer and to cause the kernel scheduler to initiate processing of the specimen within a desired period of time. 10. The method of claim 9 , wherein the altered interrupt transmitted to the kernel scheduler causing the kernel scheduler to advance the time value of a clock that is available to the guest operating system to reflect the false time value. 11. The method of claim 9 , wherein the altered interrupt transmitted to the kernel scheduler causes the kernel scheduler to perform at least one of either (i) increasing a frequency of a clock that is available to the guest operating system, or (ii) incrementing the clock of the guest operating system with a value greater than that normally added thereto. 12. The method of claim 9 , wherein the kernel scheduler comprises a first scheduler and an alternate scheduler, the alternate kernel scheduler advances a time of a clock that is available to the guest operating system and handles scheduling for processing of the specimen. 13. The method of claim 12 , wherein manipulating the time of the clock that is available to the guest operating system further comprises: partially or completely disabling the first kernel scheduler; and enabling the alternate scheduler. 14. The method of claim 12 , wherein the altered interrupt transmitted to the alternate kernel scheduler causes the alternate kernel scheduler to advance a time of a clock that is available to the guest operating system to reflect the false time value. 15. The method of claim 1 , wherein hooking the time check comprises hooking an Application Programming Interface (API) call that is serviced in the kernel mode layer. 16. The method of claim 1 , wherein hooking the time check includes hooking a time check attempting to read a time stamp maintained by a virtual chipset; and supplying the false time value by the time-dilation logic comprises advancing the time stamp maintained by the virtual chipset and supplying the time stamp as the false time value in response the time check. 17. The method of claim 1 , wherein hooking the time check includes hooking a time check attempting to read a time stamp maintained by a virtual chipset; and supplying the false time value by the time-dilation logic comprises advancing the time stamp maintained by the virtual chipset and supplying the time stamp as the false time value in response to a detected period of inactivity or delay in execution. 18. The method of claim 1 , wherein supplying the false time value by the time-dilation logic comprises advancing a clock maintained by a virtual chipset by a number of ticks, and generating the false time value based on a system clock. 19. The method of claim 1 , wherein supplying the false time value by the time-dilation logic comprises signaling to a virtual chipset included in the hypervisor layer to generate a hibernation of the guest operating system and to manipulate a number of hardware ticks to correspond to a shorted period of time during the hibernation. 20. The method of claim 1 , wherein hooking the time-related check comprises hooking by the monitor agent a memory access corresponding to a time query made to a first memory location corresponding to the process, and wherein supplying the false time value by the time-dilation logic comprises altering a mapping of memory at a user mode layer corresponding to the process so as to provide in response to the memory access, contents from a second memory location, wherein the first memory location has contents that reflects the real time and the second memory location contents reflects the false time value. 21. The method of claim 20 , wherein the memory at the user mode layer is virtual and mapped by a kernel mode layer for every process to a physical area of memory included in a physical layer. 22. The method of claim 20 , wherein the hooking by the monitor agent of the memory access corresponding to the time query comprises hooking an Application Programming Interface (API) call that is capable of being serviced in memory at the user mode layer. 23. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a plurality of operations, comprising: hooking, by a monitoring agent of a time controller included in a kernel mode layer of a guest operating system within a run-time environment of a virtual machine, a time-related check from a process executing in the run-time environment, the time-related check indicative of potential delayed activation malware; generating, by time-dilation logic of the time controller included in a second layer of the functional stack of the run-time environment in response to the time-related check, a false time value that is later than real time so as to indicate a