Skip to main content
Cybersecurity

AI worms demonstrate ‘new kind of cyberattack’

Worm fans: Meet Morris II.
article cover

Francis Scialabba

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

It sounds like a horror movie, but researchers from Technion–Israel Institute of Technology, Intuit, and Cornell Tech expect a future of AI-powered worms.

In a demo and study they shared exclusively with Wired, team members Ben Nassi, Stav Cohen, and Ron Bitton used an “adversarial self-replicating prompt” to copy itself to the connected parts of a generative AI ecosystem—potentially stealing data and/or sending spam as it crept and crawled. Like the computer worms of old, the recent “zero-click” demo has the potential to hit plenty of unprepared end-users.

“It basically means that now you have the ability to conduct or to perform a new kind of cyberattack that hasn't been seen before,” Nassi told Wired.

Oh, great. Another reboot from the ’80s. The worm, dubbed Morris II, is named after its predecessor computer worm from 1988. That version (the OG Morris!) spread to about 6,000 of 60,000 networked devices. The 2024 reboot targets connected chatbots, virtual assistants, and other connected generative AI-powered agents.

I’m going to ask you again. A regular old prompt triggers an output of data. An adversarial prompt triggers the gen AI model to output the input, so it repeats the process in ongoing instances, resembling old-school hacks like buffer overflows and SQL injections that combine data queries and code execution. In the Morris II demo, the inputs “compel the agent to deliver them (propagate) to new agents,” the report read.

Allow them to demonstrate. The team created an email with a self-replicating prompt. The malicious prompt poisons the database of fen AI-powered email assistants, "which jailbreaks ChatGPT and Gemini to replicate itself and exfiltrate sensitive user data" and “steers the flow of an email assistant into forwarding the image to new clients,” according to a video description on the team’s ComPromptMized research page.

No clicks. A “zero-click” worm like Morris the Sequel means no interaction required: If somebody opens up the email, the program is set to run and leverage prompts that launch malware or ingest data, and then move on to different systems. To James McQuiggan, security awareness advocate at KnowBe4, the increased ease for phishers means end users will need to be extra suspicious of unusual messages, and security operations centers will need to be more tuned than ever to spot file transfers and abnormal communications.

“Brace yourself. Because if we’re developing and coming up with a proof of concept, that means the cybercriminals are already doing it,” McQuiggan told IT Brew.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.