Payload (computing)

Contributor(s): Peter Loshin

The term payload, when used in the context of networking or telecommunications, is the data carried inside of a packet (or other network protocol data units like frames or segments). When used in context of malware, payload refers to any malicious executable code that is delivered to its target once an initial infection is accomplished.

While malware payloads do not have specified limits in the sense of a maximum carrying capacity, malicious actors try to keep their malware payloads to a reasonable size to avoid being flagged by endpoint or network security products. Network protocols, on the other hand, must specify a maximum payload size that is appropriate for the networks being traversed and the systems at either end.

The payload of a specific packet or other protocol data unit (PDU) is the actual transmitted data sent by communicating endpoints; network protocols also specify the maximum length allowed for packet payloads.

While some protocols use a trailer field to signify the end of a packet, others require network nodes to be able to calculate where a packet ends. For example, Internet Protocol (IP) uses a counter in the packet header, which network nodes use to determine where the packet payload ends.

IP packet payload vs. malware payload

An IP packet might contain a payload that has commands issued by an end user, such as a request for web content; more commonly it will carry a payload consisting of actual data transmitted by a server in response to a user request. Payload limits on PDUs are usually specified by relevant protocol specifications, and the maximum size of the payload for an individual PDU changes infrequently (if at all).

The maximum size for network payloads can be determined by subtracting the amount of data required for protocol headers (and trailers, in the event that the protocol uses them) from the maximum transmission unit (MTU) size for the protocol. The MTU for IP packets can vary by system and network; the original IP standard (RFC 791), specified that all hosts must be able to accept packets as large as 576 bytes, with a data payload of 512 bytes and 64 bytes for the header. The generally accepted default MTU for IPv4 packets was eventually adjusted upward to 1,500 bytes for compatibility with Ethernet segments; larger (or smaller) MTUs can also be specified for individual systems.

The maximum payload size for IP packets is limited by the Total Length field in the IP packet header; that field is 16 bits long, meaning the maximum possible value is 216, meaning the highest possible value for packet length is 65,535 -- no payload can be larger than that, minus the number of bytes required for the packet header.

Network protocol payload limits are important because they can affect protocol performance: Smaller payloads mean more packets must be created, and transmitted, for a volume of data. Larger payloads cut down on the need to create more packets -- but also require that there be a fast and reliable network environment that is capable of delivering large volumes of data without delays caused by errors or transient network conditions.

Malware payloads

In the context of malware, the payload usually refers to malicious code that causes harm to the targeted victim. Malware payloads can be distributed by a range of vectors, including via worms, phishing emails and other delivery mechanisms. Today, malware authors typically encrypt the payload to hide the malicious code from antimalware products.

Attackers use the two-phase method in order to bypass defenses by keeping the actual payload -- which is the part that actually causes damage to the victim -- separate from the infection vector. In this way, proven distribution methods, such as phishing emails and worms, can be adapted over time for malicious payload delivery.

Creation and effects of a malware payload

Almost any kind of malware can be incorporated into a payload, usually with the help of a payload generator, to create executable malware. Malicious actors, as well as penetration testers, use payload generators to incorporate an executable piece of malware into a payload for delivery to targets. The Metasploit Project is an open source project that includes resources for researching security vulnerabilities, which includes a payload generator.

The payload generator accepts shellcode, usually a short sequence of code that can start an exploitable command shell on the target, and creates an executable binary file that actually enables the payload delivery.

Once delivered and executed, the payload delivery process enables infection of the targeted system. Depending on the existence of malware detection systems and their facility in detecting malicious code in transmitted data, malware delivered via an email or other type of application payload will infect the target. A payload can contain of any kind of malware, including ransomware, botnet recruitment or other types of virus or worm.

This was last updated in September 2018

Continue Reading About Payload (computing)

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What has your experience been with monitoring and filtering payloads of network packets in your organization?


File Extensions and File Formats