AV Defines Payload Differently

Posted on by

AV companies have different definitions for the word payload. As an arbitrary base definition, Wikipedia defines payload as such:

the payload of a virus or worm is any action it is programmed to take other than merely spreading itself. The term is used for all intended functions, whether they actually work or not.

The Computer Desktop Encyclopedia says payload:

…refers to the software’s harmful results. Examples of payloads include data destruction, messages with insulting text or spurious e-mail messages sent to a large number of people.

Symantec has a slightly similar definition:

This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Trend Micro has a different take on the definition:

The term payload refers to an action that a malware or grayware performs, apart from its main behavior. For example, payloads for a worm include all other actions it performs apart from its propagation routines.

Payloads can range from something that is relatively harmless, like displaying messages or ejecting the CD drive, to something destructive, like deleting the contents of a hard drive.

McAfee defines payload as follows:

Refers to the effects produced by a virus attack. Sometimes refers to a virus associated with a dropper or Trojan horse.

From the Big Three’s definition, Trend Micro’s definition deviates from the Wikipedia and the other two quoted companies. Kaspersky, Sophos, and F-Secure do not have definitions on payload. Uniformity has never been AV companies’ forte; they don’t even name malware the same way. But based on the definitions we can safely say that payload refers to the malicious activities that a malware does. We are stumped by Trend Micro’s definition, since the definition will be problematic for Trojan horses.

Trojan horse is a general term that covers malware with different behavior. Based on its definition, Trend Micro sees payload as actions of a malware aside from its main routine. For Trojans, we ask: what is a Trojan’s main routine? It will now depend on what kind of a Trojan a malware is – whether it is a downloader, a dropper, a proxy server, etc.

That’s why I prefer the other’s definition – it has all bases covered.