'A Fundamentally New Threat': Researchers Develop New AI-Powered Worm That Might Be Unstoppable - Gizmodo

It’s a nightmare scenario that’s long haunted the imaginations of cybersecurity experts: computer malware that spreads autonomously from device to device, learning as it goes and exploiting different vulnerabilities along the way. Now, researchers have demonstrated that such a “worm” can in fact be built today, with publicly available AI models, and at a disconcertingly low cost. A preprint paper published Tuesday by a team from the University of Toronto, the University of Cambridge, and elsewhere outlines “a fundamentally new threat: a worm that generates tailored attack strategies to each target it encounters,” according to the researchers. The paper described how the team deployed an AI agent to act as a worm in a controlled, isolated network composed of Linux, Windows, and IoT devices and “with common corporate network vulnerabilities,” such as reused passwords. The agent was powered by an unnamed open source LLM. Unlike a traditional computer virus, which needs a human to be duped into, say, opening a file infected with malware, worms can infect devices entirely on their own by exploiting security vulnerabilities and replicating copies of themselves along the way. They spread via a shared digital connection, such as a wifi network, to find other vulnerable devices they can infect. And they precede the LLM boom: back in 2017, the aptly-titled WannaCry worm, allegedly built by government-backed North Korean hackers, spread to hundreds of thousands of devices spread across more than 150 countries. The malware held the infected devices hostage until their owners paid a Bitcoin ransom. The WannaCry fiasco and other worm incidents underscored the vulnerabilities that come with a globally interconnected digital ecosystem. But they could be stopped relatively easily: WannaCry exploited a single security vulnerability, which was promptly patched up, eliminating any further spread. The University of Toronto team’s experimental worm, in contrast, is able to dynamically detect security flaws that are unique to each particular device it infects, thereby using a variety of tactics to propagate through a network. It also parasitically feeds off devices’ computing power, a problem which, as the researchers point out in their paper, is made more dire by the fact that those devices are now being built to support computationally expensive LLMs. Smartphones and laptops built for AI, in other words, are an abundant feeding ground for this kind of worm. “As consumer devices increasingly support LLM inference, the reasoning resources available to such adversaries grow accordingly,” the researchers write in a blog post explaining their work. That “means every machine connected to the internet is a potential target—if not for the data it holds, then as a launching pad for the next attack.” The AI worm moves slower than traditional worms, since at each point along its path of propagation it needs to meticulously probe for potential points-of-entry into the next device; it took about five days to infect half of the devices in the experimental network, the researchers noted. But that timeframe will compress as devices get more efficient at inference and as AI models improve in their ability to detect security flaws, the researchers warn. The paper arrives at an anxious moment for the cybersecurity sector, which is already trying to come to grips with the possible ramifications of powerful new AI systems that are able to discover and exploit security vulnerabilities at an unprecedented scale. In April, Anthropic announced it had developed a model called Mythos, which it has slowly rolled out to a small group of early testers in a test-and-control effort dubbed Project Glasswing. The goal of that effort is to give the cybersecurity community the opportunity to figure out how such a powerful system can be used to strengthen defense more than it empowers the offense. OpenAI launched its own model trained to detect cybersecurity vulnerabilities, called GPT-5.4-Cyber, a few weeks after Mythos launched, and has likewise only shared it with a limited group of early testers. In a similar spirit, the University of Toronto researchers said they published the paper in hopes of waking the global cybersecurity community up to the new threat. They also noted that they consulted with government and scientific bodies beforehand to assess how to best make their findings available without empowering hackers. Along with the identity of the open source model that was used to power the worm, other key methodological details were omitted from the published paper. “We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse,” they wrote.