payload (computing)
What is a payload (computing)?
In computing, a payload is the carrying capacity of a packet or other transmission data unit. The term has its roots in the military and is often associated with the capacity of executable malicious code to do damage. The term payload has two meanings: data payload, which is related to the transport of data across a network, and malware payload, which refers to malicious code used to exploit and compromise IT networks and systems.
Data payload. The payload of a specific network packet or other protocol data unit (PDU) is the transmitted data sent by communicating endpoints; network protocols also specify the maximum length allowed for packet payloads. The payload is then wrapped in a packet that contains information such as media access control address and IP information, quality of service tags, time-to-live data and checksums.
Malware payload. Payload in the context of malware refers to malicious code that causes harm to the targeted victim. Malware payloads can be distributed by methods such as worms and phishing emails. Today, malware authors typically encrypt the payload to hide the malicious code from antimalware detection and remediation tools.
Payload examples
Here are examples of a data payload and a malware payload:
- IP packet data payload. An IP packet consists of an Ethernet, IP and TCP header. This information helps the packet adhere to the communication protocol standard and reach its destination on the network. The payload portion of the packet contains the data that a user or device wants to send.
- Phishing malware payload. In this scenario, a phishing email contains a self-replicating virus stored within a macro of an Excel spreadsheet attachment.
How does an IP packet payload work?
An IP packet might contain a payload with commands issued by an end user, such as a request for web content. But, more often, it carries a payload consisting of data transmitted by a server in response to a user request. Payload limits on PDUs are usually specified by a protocol, and the maximum size of the payload for an individual PDU rarely changes.
Network protocol payload limits are important because they can affect protocol performance. For example, smaller payloads mean more packets must be created and transmitted for a volume of data. Larger payloads create fewer packets but require a fast and reliable network, capable of delivering large volumes of data without delays caused by errors or transient network conditions.
The maximum size for network payloads is determined by subtracting the amount of data required for protocol headers -- and trailers, if the protocol uses them -- from the maximum transmission unit (MTU) size for the protocol. The MTU for IP packets varies by system and network. The original IP standard (Request for Comments 791) specified that all hosts must be able to accept packets as large as 576 bytes with a data payload of 512 bytes and 64 bytes for the header. The currently accepted default MTU for IPv4 packets is 1,500 bytes for compatibility with Ethernet segments; larger or smaller MTUs can be specified for individual systems.
The maximum payload size for IP packets is limited by the Total Length field in the IP packet header; that field is 16 bits long, meaning the maximum possible value is 216 and the highest possible value for packet length is 65,535 -- no payload can be larger, minus the number of bytes required for the packet header.
How does a malware payload work?
Attackers use a two-phase approach to bypass defenses. This works by keeping the payload -- which is the part that causes damage to the victim -- separate from the infection vector. This way, proven distribution methods, such as phishing emails and worms, can be adapted over time for malicious payload delivery.
While malware payloads do not have specified limits for a maximum carrying capacity, malicious actors try to keep the malware payloads to a reasonable size to avoid being flagged by endpoint- or network-based malware detection tools.
Almost any type of malware can be incorporated into a payload with the help of a payload generator to create executable malware. Malicious actors, as well as penetration testers, use payload generators to incorporate an executable piece of malware into a payload for delivery to targets. The open source Metasploit Project includes resources for researching security vulnerabilities, including a payload generator.
The payload generator accepts shellcode, which is a short sequence of code that starts an exploitable command shell on the target and creates an executable binary file to enable the payload delivery.
Once delivered and executed, the payload delivery process infects the targeted system -- unless there is a malware detection system. A payload can contain of any kind of malware, including ransomware, botnet recruitment, or other types of viruses or worms.
Learn the difference between malware and ransomware and how each delivers malicious payloads.