Researchers have tested Morris II, an AI-powered worm that infiltrates email systems to read content and disseminate malware without user interaction.
This new breed of “zero-click malware” poses a significant cybersecurity threat as it can deceive AI systems such as ChatGPT and Gemini into unauthorized actions.
Dubbed Morris II by researchers , the new AI worm is engineered to exploit vulnerabilities in AI-powered applications, particularly those utilizing popular tools like OpenAI’s ChatGPT and Google’s Gemini.
Ben Nassi from Cornell Tech, Stav Cohen from the Israel Institute of Technology, and Ron Bitton from Intuit created this worm to assess if attackers can develop malware to exploit the GenAI component of an agent to launch cyber-attacks.
The worm leverages these platforms to penetrate email assistants, siphoning off personal data and initiating spam campaigns. Its design allows it to bypass traditional cybersecurity measures that rely on user action to trigger malware infections.
One of the most alarming features of Morris II is its self-replicating capability, enabling it to spread autonomously across networks. This mechanism is activated by generative AI tools, which inadvertently facilitate the worm’s replication and malicious activities.
The researchers’ demonstration highlights the worm’s ability to infiltrate and leverage GenAI-powered email systems, showcasing its potential to execute widespread cyberattacks without direct human oversight.
Morris II, named after the infamous Morris worm , was devised by Cornell student Robert Morris in 1988. This early malware aimed to expose security flaws but created the first major internet attack.
“We are currently under attack,” wrote a University of California, Berkeley student.
Although intended as a demonstration, the programming error led to widespread network congestion and system failures, leading to Morris’s conviction under the Computer Fraud and Abuse Act.
The White House Office of the National Cyber Director released a report in February 2024, calling on the technical community to reduce the attack surface in cyberspace.
“This report was created for engineers by engineers because we know they can make the architecture and design decisions about the building blocks they consume – and this will have a tremendous effect on our ability to reduce the threat surface, protect the digital ecosystem and ultimately, the Nation.” said Anjana Rajan, Assistant National Cyber Director for Technology Security.
Technology companies such as Microsoft, Apple, and OpenAI face increasing regulatory scrutiny as Big Tech continues to battle for AI dominance.