Morris II Worm: AI’s First Self-Replicating Malware

What happens when Gen AI goes rogue?

A group of researchers from Cornell Tech, USA set to find out precisely what that would look like, their findings shedding light on the need to secure AI at every prompt and every layer. 

To study the impact of Gen AI cybersecurity threats, the researchers unleashed an "adversarial self-replicating prompt” to create an AI worm they named Morris II, which was then tested against Gemini Pro, ChatGPT 4.0 and LLaVA.

If the name seems familiar, it may ring a bell as it draws from the infamous Morris worm of 1988 – the malicious code that caused the first major, unintended, cyber attack on the internet. 

What is a computer worm? Understanding malware propagation

A successful computer worm is a malware that has the ability to replicate, perform malicious activity and propagate to other systems.

Unlike viruses, worms do not require host programmes – they exploit vulnerabilities in systems, protocols or applications to create copies of themselves and spread across systems by exploiting either a user vulnerability or a system vulnerability to latch on. 

A user vulnerability is when a user clicks on a link or an attachment that is carrying payload while the latter requires no requirement for a user action, it is essentially, zero-click. 

From its onset in the form of the Creeper worm in the 1970s, to notable cases such as Wannacry, computer worms have been used to delete, encrypt and steal data among other malicious uses. 

As organisations now are integrating AI agents that work with fewer human intervention into several stages of their businesses, they are opening a new attack surface for cybercriminals. 

While we have seen jailbreaking, prompt injection and data poisoning attacks that demonstrate security flaws of AI models, Morris II is a complete malware that targets such an ecosystem. 

What is Morris II AI worm and how does it target Gen AI ecosystems?

The Morris II worm is a lab-created example of an advanced AI cybersecurity threat which uses self-replicating AI prompts that can burrow its way into services that use Gen AI. 

Maliciously clever prompts, called adversarial self-replicating prompts used by Morris tricks AI models to replicate the input fed to the model within its generated output. 

The input here can contain malicious payload of various kinds, which could be an image that spreads propaganda or toxic code that is damaging, similar to SQL injection or buffer overflow.

Morris II is equipped with two major capabilities: extracting sensitive data and spam propagation from infected systems enabling it to further spread across computers.

The worm was tested against a specific kind of Gen AI ecosystem growing in popularity which is an email assistant which can choose to forward e-mails or generate automatic responses among other functions. 

Morris II is a RAG-based worm, meaning it targets Gen AI systems that use retrieval augmented generation (RAG) to create smart responses using data from RAG to understand the context in which each prompt is created. 

RAG carries a database of previous activities to enable accurate responses that reduce hallucinations. 

Taking the example of the email assistant, the RAG will contain new emails sent or received.

The researchers wrote an email containing an adversarial self-replicating prompt which gets stored in the RAG, sent to the LLM provider, which then jailbreaks the service and steals data from the emails. 

When the service is then used to reply to other emails, the new recipients get infected, thereby propagating without any human intervention. 

The Morris II is a warning, it is a theoretical demonstration of the very real possibility of threat actors weaponising AI to attack enterprise ecosystems by showing how AI worms propagate in Gen AI systems.

As agentic AI becomes a new business norm, robust AI cybersecurity infrastructure is a requirement to mitigate the severe threats that arise from AI malware. 

“Agentic AI is both a powerful force for innovation and a potential risk,” says Chandra Gnanasambandam, EVP of Product and CTO at SailPoint.

“These autonomous agents are transforming how work gets done, but they also introduce a new attack surface. They often operate with broad access to sensitive systems and data, yet have limited oversight. 

“That combination of high privilege and low visibility creates a prime target for attackers.”