A computer virus is a malware that, when executed, tries to infect other executable and alter their default behavior. A virus copies itself into an infected executable without permission or knowledge of a user. The first computer virus was a boot sector virus. Virus causes damage to system’s file and operating system which comprises of system sectors, files, macros, companion files and source code 1. Virus use internet as medium to spread throughout.
The early detection of viruses is imperative to minimize the damages caused by them. There are many antivirus defense mechanisms available today. These include signature-based and behavioral-based detection. The signature-based virus detection tools search all the files on a system for a signature. Code emulation creates a virtual machine and executes a virus on the virtual machine for detection.
Once the virus is detected, it is no longer a threat. To bypass signature-based detection technique, virus writers have to create new viruses or change the existing viruses. Virus writers evade signature detection by generating metamorphic copies of a virus.
Metamorphic viruses change their appearance while keeping the same functionality. Metamorphic viruses use different code obfuscation techniques to change the structure of the code. These techniques include code reordering through jumps, subroutine permutation, dead code insertion, equivalent instruction substitution, and rearrangement of instruction order (transposition).
The statistical pattern analysis is the most successful technique to detect metamorphic viruses. In behavioral analysis, the behavioral characteristics of the executable is known as it is being observed in real-time, and inferences is made by an inductive decision algorithm on the threat level. All executables are treated as unknown, where it is up to the executable to prove it is acting in a safe, non-malicious manner. In doing so, the ability of detecting zero-day (unknown) attacks are substantially improved