In computing, a payload is the carrying capacity of a packet or other transmission data unit. The term has its roots in the military and is often associated with the capacity of executable malicious code to do damage. Technically, the payload of a specific packet or other protocol data unit (PDU) is the actual transmitted data sent by communicating endpoints; network protocols also specify the maximum length allowed for packet payloads.
In the context of malware, the payload usually refers to malicious code that causes harm to the targeted victim. Malware payloads can be distributed by a range of vectors, including via worms, phishing emails and other delivery mechanisms. Today, malware authors typically encrypt the payload to hide the malicious code from antimalware products.
Attackers use the two-phase method in order to bypass defenses by keeping the actual payload -- which is the part that actually causes damage to the victim -- separate from the infection vector. In this way, proven distribution methods, such as phishing emails and worms, can be adapted over time for malicious payload delivery.
While malware payloads do not have specified limits in the sense of a maximum carrying capacity, malicious actors try to keep their malware payloads to a reasonable size to avoid being flagged by endpoint or network security products. Network protocols, on the other hand, must specify a maximum payload size that is appropriate for the networks being traversed and the systems at either end. While some protocols use a trailer field to signify the end of a packet, others require network nodes to be able to calculate where a packet ends. For example, Internet Protocol (IP) uses a counter in the packet header, which network nodes use to determine where the packet payload ends.
Creation and effects of a malware payload
Almost any kind of malware can be incorporated into a payload, usually with the help of a payload generator, to create executable malware. Malicious actors, as well as penetration testers, use payload generators to incorporate an executable piece of malware into a payload for delivery to targets. The Metasploit Project is an open source project that includes resources for researching security vulnerabilities, which includes a payload generator.
The payload generator accepts shellcode, usually a short sequence of code that can start an exploitable command shell on the target, and creates an executable binary file that actually enables the payload delivery.
Once delivered and executed, the payload delivery process enables infection of the targeted system. Depending on the existence of malware detection systems and their facility in detecting malicious code in transmitted data, malware delivered via an email or other type of application payload will infect the target. A payload can contain of any kind of malware, including ransomware, botnet recruitment or other types of virus or worm.
IP packet payload vs. malware payload
An IP packet might contain a payload that has commands issued by an end user, such as a request for web content; more commonly it will carry a payload consisting of actual data transmitted by a server in response to a user request. Payload limits on PDUs are usually specified by relevant protocol specifications, and the maximum size of the payload for an individual PDU changes infrequently (if at all).
The maximum size for network payloads can be determined by subtracting the amount of data required for protocol headers (and trailers, in the event that the protocol uses them) from the maximum transmission unit (MTU) size for the protocol. The MTU for IP packets can vary by system and network; the original IP standard (RFC 791), specified that all hosts must be able to accept packets as large as 576 bytes, with a data payload of 512 bytes and 64 bytes for the header. The generally accepted default MTU for IPv4 packets was eventually adjusted upward to 1,500 bytes for compatibility with Ethernet segments; larger (or smaller) MTUs can also be specified for individual systems.
The maximum payload size for IP packets is limited by the Total Length field in the IP packet header; that field is 16 bits long, meaning the maximum possible value is 216, meaning the highest possible value for packet length is 65,535 -- no payload can be larger than that, minus the number of bytes required for the packet header.
Network protocol payload limits are important because they can affect protocol performance: Smaller payloads mean more packets must be created, and transmitted, for a volume of data. Larger payloads cut down on the need to create more packets -- but also require that there be a fast and reliable network environment that is capable of delivering large volumes of data without delays caused by errors or transient network conditions.