Researchers have created a new, never-before-seen type of malware, which they call the “Morris II” worm, which uses popular malware. AI services to spread, infect new systems and steal data. The name refers to the original Morris computer worm that wreaked havoc on the Internet in 1988.
The worm demonstrates the potential dangers of AI security threats and creates new urgency around secure AI models.
New Worm Uses Adversarial Self-Replication Prompt
Researchers from Cornell Tech, the Israel Institute of Technology and Intuit used what’s called a “self-replicating adversarial prompt” to create the worm. This is a prompt that, when introduced into a large language model (LLM) (they tested it on OpenAI’s ChatGPT, Google’s Gemini, and the open source LLaVA model developed by researchers at the University of Wisconsin-Madison, Microsoft Research, and Columbia University), tricks the model into creating an additional prompt. It causes the chatbot to generate its own malicious prompts, which it then responds to by executing those instructions (similar to SQL injection and buffer overflow attacks).
The worm has two main abilities:
1. Data exfiltration: The worm can extract sensitive personal data from the email of infected systems, including names, phone numbers, credit card details and social security numbers.
2. Spread of spam: The worm can generate and send spam and other malicious emails through compromised AI-powered email assistants, helping it spread and infect other systems.
The researchers successfully demonstrated these capabilities in a controlled environment, showing how the worm could infiltrate generative AI ecosystems and steal data or distribute malware. The “Morris II” AI worm has not been observed in the wild and researchers have not tested it on a publicly available email assistant.
They discovered that they could use self-replicating prompts in text prompts and embedded prompts in image files.
Learn more about rapid injection
Poisoned AI Databases
Demonstrating the text prompt approach, the researchers wrote an email containing the contradictory text prompt, “poisoning” the AI email assistant’s database using augmented generation by retrieval (RAG), which allows the LLM to retrieve external data. The RAG received the email and sent it to the LLM provider, which generated a response that jailbroke the AI service, stole data from the emails, and then infected new hosts when the LLM was used to reply to an email sent by another customer.
When using an image, the researchers encoded the self-replicating prompt into the image, which caused the email assistant to forward the message to other email addresses. The image serves as both content (spam, scams, propaganda, disinformation, or abuse) and the activation payload that spreads the worm.
However, researchers say this is a new type of cybersecurity threat as AI systems become more advanced and interconnected. The lab-created malware is just the latest in the exposure of LLM-based chatbot services that expose their vulnerability to exploitation for malicious cyberattacks.
OpenAI has acknowledged the vulnerability and says it is working to make its systems resistant to this type of attack.
The Future of AI Cybersecurity
As generative AI becomes more ubiquitous, malicious actors could exploit similar techniques to steal data, spread misinformation, or disrupt systems on a larger scale. It could also be used by foreign state actors to interfere in elections or foment social divisions.
We are clearly entering an era where AI Cybersecurity Tools (AI Threat Detection and other Cybersecurity AI) have become an essential and vital part of protecting systems and data against cyberattacks, while presents a risk when used by cyber attackers.
Now is the time to embrace AI cybersecurity tools and secure AI tools that could be used for cyberattacks.
