A program counts as malware not because of what it can do, but because of how an attacker uses it. This view aligns with NIST's longer formulation but cuts the verbiage.
Since our professional experiences differ, we may disagree on some aspects of what constitutes malicious software. Having been in the field for many years, I’d like to propose the definition of malware that, I think, most will find reasonable.
Let’s start with NIST SP 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, which offers a starting point for defining malware:
“Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.”
This explanation is unnecessarily verbose. I propose a simpler one, which is consistent with that of NIST:
Malware is code that is used to perform malicious actions.
In this case, the word “malicious” follows the standard English definition, which involves “actions characterized by malice.” It implies that the actions were taken against the victim’s or someone else’s interests. And it suggests that intent is a factor when deciding whether the actions were malicious.
My definition implies that whether a program is considered malware depends not so much on its capabilities but, instead, on how the attacker uses it. Threat actors benefit from malware at the victim’s expense. Behind malicious software, there is usually a human or organization that’s making use of its capabilities for malicious purposes.
As a side note, please don’t pluralize the word “malware” by using “malwares.” This sounds very awkward. It’s just “malware,” even in a plural form.
