Researchers have created a new type of malware never seen before called the “Morris II” worm. The worm uses popular AI services to spread itself, infect new systems, and steal data. The name comes from the original Morris computer his worm that wreaked havoc on the Internet in 1988.
This worm demonstrates the potential dangers of AI security threats and creates new urgency when it comes to securing AI models.
New worm utilizes hostile self-replication prompt
Researchers from Cornell Tech, Israel Institute of Technology, and Intuit created the worm using a so-called “hostile self-replicating prompt.” this is, Large-scale language model (LLM) (They tested it with OpenAI's ChatGPT, Google's Gemini, and an open-source LLaVA model developed by researchers at the University of Wisconsin-Madison, Microsoft Research, and Columbia University.) They tricked the model into creating additional prompts. Let me do it. This causes the chatbot to generate its own malicious prompts and respond by executing its instructions (similar to SQL injection and buffer overflow attacks).
This worm has two main functions:
1. Data withdrawal: The worm can extract sensitive personal data such as names, phone numbers, credit card details, and social security numbers from the infected system's email.
2. Spam propagation: The worm generates and sends spam and other malicious emails through a compromised AI-powered email assistant and helps infect other systems.
The researchers were able to demonstrate these capabilities in a controlled environment, showing how worms can infiltrate generative AI ecosystems to steal data or distribute malware. Ta. The “Morris II” AI worm has not been observed in the wild, and researchers have not tested it with publicly available email assistants.
They found that self-replicating prompts can be used both as text prompts and as prompts embedded in image files.
Learn more about prompt injection.
Tainted AI database
In demonstrating the text prompt approach, the researchers created an email containing an adversarial text prompt and used search augmentation generation (RAG) to enable the LLM to retrieve external data for an AI email assistant. You have “contaminated” the database. RAG retrieved the email and sent it to his LLM provider. This generates a response that jailbreaks the AI service, steals data from the email, and infects a new host when LLM is used to reply to an email sent from another client. did.
When using images, the researchers encoded a self-replication prompt into the image and had an email assistant forward the message to other email addresses. This image serves both as content (spam, fraud, propaganda, disinformation, and abuse material) and as an activation payload to spread the worm.
But researchers say this will become a new type of cybersecurity threat as AI systems become more sophisticated and interconnected. The lab-created malware is the latest exposure of LLM-based chatbot services, revealing vulnerabilities that could be exploited by malicious cyberattacks.
OpenAI acknowledged the vulnerability and said it is working to make its systems resistant to this type of attack.
The future of AI cybersecurity
As generative AI becomes more prevalent, malicious attackers could use similar techniques to steal data, spread misinformation, or disrupt systems at scale. It could also be used by foreign state actors to interfere in elections or incite social divisions.
While AI cybersecurity tools (AI threat detection and other cybersecurity AI) have become a core and critical part of protecting systems and data from cyberattacks, they also pose risks when used by cyberattackers. We are clearly entering an era in which this will cause
Now is the time to embrace AI cybersecurity tools and protect AI tools that can be used in cyberattacks.
