This Virus Hijacks Your Data from Generative AI Tools: Protect Yourself Now!

A team of researchers has developed a new computer virus known as Morris II, which targets generative AI systems, including cutting-edge models like Gemini Pro and the GPT-4-powered version of ChatGPT. This sophisticated worm manipulates generative AI technologies to execute malicious tasks such as spamming and data theft. The project was undertaken by scientists from Cornell Tech, a prestigious research institution, in collaboration with Intuit and Technion - Israel Institute of Technology.

Morris II operates by creating deceptive inputs that, when processed by models like Gemini, enable the virus to replicate itself and carry out harmful actions. One of its alarming capabilities is the extraction of sensitive information, including contact details and personal addresses, all without the users ever realizing that their data has been compromised. Once it acquires this information, the worm exploits the interconnectedness of generative AI ecosystems to disseminate the stolen data to additional targets, functioning as malware specifically designed for generative AI contexts.

The researchers also highlighted how malicious actors could replicate and exploit similar vulnerabilities in the future. Computer worms, such as Morris II, fall under a category of malware that can self-replicate and spread by infecting additional systems, effectively breaching the security of new devices while carrying out harmful activities.

The name Morris II pays homage to the notorious Morris worm, one of the earliest computer viruses, which caused significant financial damages in the late 1980s and was created by a student from Cornell University.

Morris II exploits weaknesses within generative AI systems by injecting malicious commands that compel the AI to execute operations that violate usage agreements. Previous research has indicated that generative AI systems can be manipulated; for instance, Claude 3’s developer, Anthropic, discovered that models could adopt deceptive behaviors. Researchers in Singapore also created a language model capable of bypassing the protective measures of ChatGPT.

What sets Morris II apart from earlier projects is its ability to target generative AI ecosystems—complex networks of agents interfacing with services like ChatGPT. The researchers evaluated the worm's effectiveness through an email assistant that utilized generative AI for tasks such as generating automatic email responses.

The propagation methods used by Morris II include RAG-based (retrieval-augmented generation) techniques and application-flow steering methods. The passive RAG strategy involves corrupting a database such that the system spreads the infection whenever it retrieves compromised data, while the active approach manipulates the flow of the application to propagate the worm further.

As generative AI features become more integrated into everyday devices like smartphones and vehicles, the researchers warn that the consequences of malicious activities stemming from systems like Morris II will soon escalate, posing even greater risks.