INTRODUCTION

A trio of researchers, Stav Cohen, Ben Nassi, along with Ron Bitton created the worm Morris II. This new worm is a zero-click malware that can spread through generative artificial intelligence (GenAI) ecosystems and has already successfully breached Gemini Pro, ChatGPT 4.0, and LLaVA., by deploying an “adversarial self-replicating prompt” via text and image inputs. It’s named after one of the first self-replicating computer worms, the Morris Worm, developed by Cornell student Robert Morris in 1988.

The concerning development, is that the computer worm  emerged has the ability to manipulate generative AI tools that use OpenAI’s ChatGPT-4 and Google’s Gemini. This nefarious worm has the potential to compromise AI email assistants, extracting personal data and initiating the transmission of spam emails within a controlled test environment. Such capabilities raise alarms as the worm could facilitate phishing attacks, propagate spam emails, and even disseminate propaganda.

“Attackers can insert such prompts into inputs that, when processed by GenAI models, prompt the model to replicate the input as output (replication) and engage in malicious activities (payload),” the research summary states. “Additionally, these inputs compel the agent to deliver them (propagate) to new agents by exploiting the connectivity within the GenAI ecosystem.”

“Yesteryear, the original Morris worm crashed approximately 10% of all computers connected to the internet. Though the number of machines affected was relatively small at the time, it demonstrated the ability of computer worms to spread swiftly between systems without human intervention, hence the term ‘zero-click worm.'”

The AI worm creators contend that “flawed architecture design” within the generative AI ecosystem enabled them to craft the self-replicating malware. These AI worms or similar viruses might be employed in forthcoming instances to execute genuine, widespread attacks, potentially infecting additional generative AI tools and emphasizing the imperative for enhanced security measures for AI models.

“They appear to have found a way to exploit prompt-injection type vulnerabilities by relying on user input that hasn’t been checked or filtered,” OpenAI told Wired. The outlet reports that the AI firm, which is currently being sued by Elon Musk and The New York Times for separate reasons, is in the process of making its systems “more resilient.”

HOW THE WORM MORRIS-II WORKS?

Morris II has been meticulously crafted to exploit vulnerabilities within GenAI components of an agent, thereby instigating assaults across the entirety of the GenAI ecosystem.

Utilizing adversarial self-replicating prompts, coded directives strategically designed to coerce GenAI models into generating executable code. The worm systematically targets GenAI ecosystems. The concept of malware manipulating data for code execution is not novel and finds precedence in techniques such as SQL injection attacks and buffer overflow attacks. In this instance, attackers clandestinely embed code prompts, concealed within images, into inputs. These inputs are subsequently processed by GenAI models, compelling them to replicate the input as output—a phenomenon known as replication.

Apart from the ability of replication, Morris II can also be coded to engage in malicious activity. Like malicious prompts which can be entered into a GenAI agent, forcing it to deliver specific data and propagating the data to new agents while spreading and exploiting the GenAI ecosystem.  Morris II possesses the capability to breach the components and ecosystems of GenAI agents. It can spread malware and misinformation, launch extensive spam campaigns, exfiltrate personal data, deliver malicious payloads (malware) as it spreads, and execute various other malicious actions. However researchers didn’t release the worm into the wild but tested it in a controlled environment with the security and isolation of virtual machines, against three different GenAI models (Gemini Pro, ChatGPT 4.0, and LLaVA).

HOW CAN MORRIS-II FIXED?

Addressing the threat posed by AI worms like Morris II requires robust countermeasures to safeguard GenAI ecosystems. Researchers have proposed several strategies for GenAI developers to fortify their AI components against such attacks.

One approach is to halt the replication of AI worms by ensuring that the output of AI models does not contain segments resembling the input prompt. This entails rephrasing the entire output to prevent similarities that could facilitate replication. Implementing this security measure within the GenAI agent or server, along with countermeasures against jailbreaking techniques, can enhance resilience against AI worms.

Furthermore, preventing the propagation of GenAI worms necessitates the development of technologies capable of detecting these threats. By analyzing the interactions between agents within the GenAI-powered ecosystem and third-party services, such as SMTP servers and messaging applications, researchers propose methods for identifying and neutralizing worm propagation.

In the case of retrieval-augmented generation systems (RAG), integral to AI models, researchers advocate for securing RAG systems to prevent AI worm propagation. One suggested solution involves deploying non-active RAG systems that cannot store malicious payloads, thereby averting attacks like spamming and phishing. However, the challenge lies in ensuring the accuracy of AI models without updating the RAG system. Consequently, new anti-worm security measures must be implemented in RAG systems to reinforce defenses and mitigate the spread of AI worms.

OpenAI and Google have been notified of these vulnerabilities, and efforts are underway to address them. While these attacks exploit weaknesses in the GenAI ecosystem and its components rather than bugs in specific agents or services, collaboration between researchers and industry stakeholders is crucial to developing effective mitigation strategies.

“We hope that our forecast regarding the appearance of worms in GenAI ecosystems will turn out to be wrong because the message delivered in this paper served as a wakeup call,” the creators of the worm Morris II said.