A computer virus is a malware that, when executed, tries to infect other executable and alter their default behavior. A virus copies itself into an infected executable without permission or knowledge of a user. The first computer virus was a boot sector virus. Generally a computer virus causes damage to the host machine. The damage can be done to a number of different components of the computer’s operating and file system. These include system sectors, files, macros, companion files and source code. The always connected world of internet is a soft target for viruses. Viruses use internet connectivity to spread across the world faster and create havoc. The early detection of viruses is imperative to minimize the damages caused by them.
There are many antivirus defense mechanisms available today. These include signature detection and behavioral-based. The signature based virus detection tools search all the files on a system for a signature. Code emulation creates a virtual machine and executes a virus on the virtual machine for detection. Once the virus is detected, it is no longer a threat. To bypass signature detection technique, virus writers have to create new viruses or change the existing viruses. Virus writers evade signature detection by generating metamorphic copies of a virus. Metamorphic viruses change their appearance while keeping the same functionality. Metamorphic viruses use different code obfuscation techniques to change the structure of the code. These techniques include code reordering through jumps, subroutine permutation, dead code insertion, equivalent instruction substitution, and rearrangement of instruction order (transposition). The statistical pattern analysis is the most successful technique to detect metamorphic viruses. In behavioral analysis, the behavioral characteristics of the executable is known as it is being observed in real-time, and inferences is made by an inductive decision algorithm on the threat level. All executables are treated as unknown, where it is up to the executable to prove it is acting in a safe, non-malicious manner. In doing so, the ability of detecting zero-day (unknown) attacks are substantially improved.