Summary
- Researchers unveiled an AI-based worm capable of detecting vulnerabilities, creating attack strategies, and autonomously propagating through networks.
- This malware operates on infected systems using open-weight models, moving away from reliance on cloud computing.
- The study indicates that AI-fueled cyber threats are now a reality, not just theoretical.
Recent advancements in AI agents may be paving the way for a fresh cybersecurity challenge: self-adaptive computer worms that can devise attack strategies in real time and spread autonomously, according to new research findings.
The research paper, authored by experts from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow, introduces a proof-of-concept AI worm that identifies vulnerabilities, formulates customized attack paths, compromises systems, and replicates itself across networks while adjusting its tactics based on different targets.
“We must prepare for autonomous generative adversaries,” the researchers emphasized. “Malware systems that spread without human intervention and are characterized not by fixed exploit code, but by the ability to analyze targets, adapt to circumstances, and synthesize attack logic on the fly.”
A computer worm is a self-replicating malware that automatically disseminates itself throughout vulnerable networks. Notable worm outbreaks, such as the ILOVEYOU virus in 2000 and the WannaCry ransomware in 2017, have infected millions globally, disrupting essential services and causing billions in damages.
Recently, the Shai-Hulud malware illustrated how self-propagating attacks can proliferate online, affecting software utilized by major firms, including OpenAI and Mistral.
The study highlights that the distinguishing feature of their AI worm, compared to previous iterations, is its capability to adjust to various targets. It employs a large language model to uncover vulnerabilities and generate real-time attack strategies, rather than relying on a static set of exploits.
“Conventional worms, like WannaCry, exploited pre-defined vulnerabilities, and their spread can be halted by fixing those vulnerabilities,” the researchers stated. “Here, we demonstrate that AI agents present a fundamentally new risk: a worm that formulates customized attack strategies for each target it encounters.”
In their research, the team evaluated the worm within an isolated virtual network comprising 33 Linux, Windows, and IoT systems, all containing common vulnerabilities. Across 15 trials, the worm detected an average of 31.3 vulnerabilities, successfully compromised 23.1 hosts, and spread to approximately 20 machines over a week of autonomous operation.
In specific tests, the malware achieved up to seven generations of self-replication, and unlike many AI applications, it did not rely on access to cloud-based AI services.
The malware executed AI models directly on compromised devices, transforming infected machines into components of its computing infrastructure. As it expanded, the system was able to exploit vulnerabilities disclosed after the model's training period by processing new security advisories in real time, enabling it to adapt with information not originally included in its training data.
While the experiments were conducted in a controlled setting, the authors recognized the potential dual-use nature of their findings and intentionally omitted certain technical specifics to mitigate misuse risks.
“Before publishing this preprint, we modified the manuscript to ensure that the presentation of our method strikes a balance between providing sufficient detail for the community to analyze this new threat and minimizing the risk of malicious actors utilizing our method to create malware,” they remarked.
Nonetheless, the researchers emphasized that the purpose of this study is to enhance the understanding of the risks associated with adaptive computer worms and to illustrate the advancements made in AI-enabled cyber capabilities.
“Addressing this threat will necessitate coordinated efforts across research, security, industry, and policy sectors: frameworks for evaluating harness-level capabilities, detection systems adapted to the behavioral patterns of autonomous agents, and regulatory measures that consider the decentralized nature of open-weight inference,” they concluded.