There is always something evocative and mildly terrifying about the term "computer worm." The image is of a worm tunneling and burrowing in, breaking into a machine and devouring its innards. Now, to sharpen the existential fear a bit, researchers have developed an AI worm.

One worm, developed by researchers Ben Nassi, Stav Cohen, and Rob Bitton, was named Morris II after the infamous Morris computer worm that rampaged across the Internet during the computer heyday of 1988 (via Ars Technica) . This AI worm was built with the express purpose of targeting generative AI-powered applications and has been demonstrated to attack AI email assistants to steal data from messages and send spam. Lovely.

The worm utilizes what are called "hostile self-replicating prompts." While normal prompts cause the AI model to output data, hostile prompts cause the model under attack to output its own prompts. These prompts can take the form of images or text, and when entered into the generative AI model, trigger it to output the prompts it receives.

These prompts can be used to trigger vulnerable AI models to indicate malicious activity, such as exposing sensitive data, generating harmful content, distributing spam, etc., or to exploit the underlying generative AI ecosystem to infect a new "host" of worms It can also create an output that enables it to.

The researchers were able to write an email containing a hostile text prompt, which they used to contaminate the AI email assistant's database. When this email was later retrieved by a connected search-extended generation service, commonly used by LLM to collect extra data, and sent to LLM, it effectively "jailbroken" the Gen-AI service, forcing it to replicate from input to output to a new host allowing sensitive user data to be exfiltrated before it can be infected.

A secondary technique used images embedded with malicious prompts to force the AI email assistant to forward more images, creating a self-replicating ouroboros-like nightmare of an infected AI ecosystem.

Now, I don't know about you, but I have a headache. Still, researchers are keen to point out that their research is about identifying vulnerabilities and "bad architectural design" in generative AI systems that allow such attacks to access and self-replicate so effectively.

For now, this AI worm serves as a model for potential attacks run in a controlled environment on a test system, and has yet to be witnessed in the "wild" by companies like OpenAI and Google that build and maintain generative AI ecosystems, hopefully heed the warnings of these researchers.

A large part of the vulnerability exploited is the relative ease of letting AI models perform actions on their own without proper checks and balances. For reference, OpenAI has stated in response to researchers' research that it is working to make its systems "more resilient" to potential attacks.

Enter Kevin Bacon and a particularly well placed cliff. You've seen "Tremors," right? Surrender.