(Credit: wk1003mike via Shutterstock)
What happens when you use AI to create a self-replicating computer worm? A group of researchers did just that, developing a prototype AI-driven worm that could adapt and infect a network of Windows- and Linux-based servers, workstations, and other IoT devices.
The disturbing research comes from a team at the University of Toronto, which unleashed the prototype worm in isolated virtual computers meant to simulate a corporate IT network. “In our lab, we observed the worm spreading across a realistic network with no human guidance,” says Nicolas Papernot, an associate professor in the Department of Electrical and Computer Engineering and the Department of Computer Science.
The team published their findings in a 49-page preprint paper to raise alarm bells about how AI-driven computer worms are no longer just a theoretical threat; you can actually build one using publicly downloadable “open weight” AI models, not just closed-source models.
“Traditional worms can be stopped by patching the specific vulnerability they exploit. Our adaptive worm cannot be stopped this way: it uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates,” the team adds.
The top AI companies have already detected hackers, including state-sponsored groups, trying to leverage their models and chatbots for cyberattacks. But the Toronto research stands out because the AI worm uses an open-weight AI model that can run on a single Nvidia enterprise GPU, rather than fetching outputs from a large language model hosted on a cloud-based server.
(Credit: University of Toronto's CleverHans Lab)To spread, the worm will first leverage an enterprise GPU in a corporate network to run a large language model to identify and exploit vulnerabilities on other devices. “Each compromised machine becomes part of its infrastructure, providing reach for further attacks, or computing resources,” the paper says. “When the worm gains control of a GPU-equipped host, it deploys a local copy of the LLM, creating an independent reasoning node that serves downstream worm copies on devices without reasoning capability.”
The team is withholding certain details, such as the AI model used, to prevent bad actors from replicating their work. But the worm didn’t need to be smart enough to uncover previously unknown zero-day vulnerabilities to infect other devices. Instead, it spread by exploiting known, unpatched IT vulnerabilities and leveraging software misconfigurations.
“In our experiments, the prototype reached half the network in approximately five days,” the researchers add. That’s actually good news, though, since more traditional computer worms, such as the 2017 WannaCry attack, were able to spread globally within hours.
In contrast, the AI-powered worm “requires hundreds of LLM inference calls for reconnaissance, strategy formulation, and payload generation. This affords defenders a longer window for detection and response—but this window will compress as inference hardware and model efficiency improve,” the researchers wrote.
That said, the simulated victim servers and computers were configured with “one or more intentionally planted vulnerabilities” that were disclosed months earlier or years ago. Hence, the simulated test doesn’t entirely reflect a real-world scenario.
(Credit: Arxiv)The research also focused on unleashing the worm mainly over servers, workstations, and IoT devices running Windows Server and various Linux distributions, rather than Windows 11 or Android. The worm itself was also set up to run on Nvidia’s heavy-duty A100 and RTX PRO 6000 enterprise GPUs, which can cost between $10,000 and $17,000.
Still, the team warns that as PC and smartphone manufacturers release more devices that can run AI models locally, the threat of AI-driven computer worms could easily grow, giving them a larger pool of devices to exploit.
“By understanding the risks, we are now positioned to develop the countermeasures needed to detect and defend against threats like this,” Papernot says. The team adds that it consulted with “national security and defense bodies” on how to properly disclose their findings.