This Virus Steals Your Data from Generative AI Tools

A group of researchers has created a computer virus capable of exploiting generative AI systems including Gemini Pro and the GPT-4-powered version of ChatGPT.

Morris II is a worm that manipulates generative AI models to carry out malicious tasks, including spamming and stealing confidential data. It was created by scientists from Cornell Tech, a research center of the Ivy League university, Intuit and Technion - Israel Institute of Technology.

Morris II crafts inputs that when processed by models like Gemini, replicate themselves and perform malicious activities.

The worm is capable of extracting sensitive information such as contact information and addresses – and the users are not even aware of their data being stolen.

The worm then encourages the AI system to deliver them to new agents by exploiting the connectivity within the Gen AI ecosystem. It is, in effect, malware for generative AI.

The researchers also demonstrate how bad actors could build and exploit similar systems.

Worms spread like germs

Computer worms are a type of malware. Worms can replicate themselves and spread by compromising new machines while also exploiting those systems to conduct malicious activity.

Morris II is named after the infamous Morris worm, one of the oldest computer viruses in the world that cost tens of thousands of dollars in damages in the late 1980s. The original Morris was made by a Cornell student.

Related:CISOs’ Most Common Concerns with Generative AI

Morris II exploits loopholes in an AI system, injecting malicious commands to instruct the AI to conduct tasks that breach the system’s usage agreements.

Other research work has shown how generative AI systems can be manipulated. Claude 3 developer Anthropic found models can learn deceptive behaviors. And researchers in Singapore created an LLM that can breach ChatGPT guardrails.

The Morris II worm differs from prior projects in that it is capable of targeting ‘Gen AI ecosystems’ – or interconnected networks of agents that interface with services like ChatGPT.

The researchers evaluated the worm on an email assistant that ran through generative AI services for tasks like generating automatic responses to emails.

Morris II uses both RAG-based (passive) and application-flow-steering (active) methods for propagation. Passive relies on poisoning a database to spread when the system retrieves the infected data, while the active method involves manipulating the application's flow to propagate the worm.

The researchers warn that the impact of the malicious activity from systems like Morris II “will be more severe soon” as generative AI features are integrated into smartphones and cars.

Related:Google Says AI Will Help Defenders More Than Hackers. Here’s How.