As they've shifted from mischief to larceny, malware writers have become more stealthy – seeking to infiltrate a server or PC with a rootkit that can lay doggo while collecting passwords, customer records and other data.
Two techniques currently in vogue play off the antivirus efforts of sysadmins. One is the use of virtual machines (VM), which the good guys use as honeypots to collect and then observe the activity of bits of malware. Some viruses now have the ability to check to see if it is running in a VM or on the actual operating system. Viruses that find themselves in a VM shut down, delaying detection and analysis, and giving other instances of the virus a better chance to propagate.
The other trick is to have the virus check to see if it is attached to a debugger by checking the amount of time it takes virus code to run. Too much of a delay is an indicator a debugger is in action, which shuts the virus down.
Security managers are also on the lookout for a more insidious technique – using a virus that has infected a VM to escape and infect the actual operating system – though that technique is still theoretical.
Read the original version of this story at TechTarget's SearchSecurity.com.