People and organizations disagree on what is malware. The exact definition of malicious software has been the subject of many discussions. Before attempting to explain this term, we must acknowledge that differences in individuals’ experiences and priorities will lead them to define malware differently.
NIST Guide to Malware Incident Prevention and Handling, SP 800-83, provides a good definition:
“Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.”
This definition feels right to me, yet it is a bit too lengthy. I propose a simpler definition, which is compatible with that of NIST:
Malware is code that is used to perform malicious actions.
In this case, the word “malicious” in the follows the standard English definition: actions characterized by malice. It implies that the actions were taken against the victim’s or someone else’s interests. It also suggests that intent could be a factor when deciding whether the actions were malicious.
My definition implies that whether a program is malware depends not so much on its capabilities but, instead, on how the attacker uses it. Attackers benefit from malware at the victim’s expense. Behind malicious software there is usually a human or organization that is making use of its capabilities for malicious purposes.
To see and join the latest discussion related to this definition, take a look at the Twitter thread on this topic. Thanks to Michael Murr and the good folks on Twitter who provided feedback on my attempts to define malware.