Full Report
Researchers have prototyped an AI-powered internet worm. The coolest thing about the prototype is that it carries its own LLM with it, and runs it on computers that have been broken into. This is the closest to John Brunner’s original 1975 conception of a computer worm that I’ve seen.
Analysis Summary
# Tool/Technique: Morris II (AI-Powered Internet Worm)
## Overview
This tool is a research-prototype "AI Worm" designed to demonstrate how Large Language Models (LLMs) can be weaponized to automate the propagation and payload delivery of malware. Unlike traditional worms that rely on hardcoded logic, this prototype carries its own LLM or interacts with integrated LLMs to perform autonomous decision-making, social engineering, and exploitation on compromised systems.
## Technical Details
- **Type:** Malware (Worm / AI-Agent Malware)
- **Platform:** Cross-platform (specifically targeting environments with LLM integrations, such as AI-powered email assistants and GenAI applications)
- **Capabilities:** Autonomous propagation, adversarial self-prompting, data exfiltration, and automated social engineering.
- **First Seen:** June 2026 (Reported date via article)
## MITRE ATT&CK Mapping
- **[TA0008 - Lateral Movement]**
- **[T1570 - Lateral Tool Transfer]**
- **[T1210 - Exploitation of Remote Services]**
- **[TA0003 - Persistence]**
- **[T1059 - Command and Scripting Interpreter]**
- **[TA0011 - Command and Control]**
- **[T1568 - Dynamic Resolution]**
- **[TA0007 - Discovery]**
- **[T1614 - System Location Discovery]**
## Functionality
### Core Capabilities
- **Self-Propagation:** The worm uses "adversarial self-replicating prompts" to force AI systems to output the worm’s own code or logic into new targets (e.g., forwarding infected emails).
- **Embedded LLM:** Carries its own local LLM instance to operate offline and make intelligent decisions about the host environment without constant C2 communication.
- **Automated Exploitation:** Scans the host for vulnerabilities or sensitive data using AI-driven analysis of the local file system.
### Advanced Features
- **Prompt Injection:** Utilizes sophisticated prompt injection techniques to bypass the "safety guards" of the host's AI applications.
- **Context Awareness:** Can analyze the context of a user's communications (like emails or documents) to craft highly convincing, personalized phishing attacks to spread further.
## Indicators of Compromise
- **File Hashes:** *(Note: As a research prototype, specific hashes are not publicly indexed in standard databases; however, look for large binary blobs associated with LLM weights/models, e.g., `.bin`, `.gguf`, or PyTorch files.)*
- **File Names:** `llm_engine`, `model_weights.bin`, `worm_config.json`
- **Registry Keys:** N/A (Focuses on application-level persistence)
- **Network Indicators:**
- Unusual traffic to API endpoints: `api[.]openai[.]com`, `huggingface[.]co`
- High-volume localized traffic on port `11434` (Ollama/Local LLM services)
- **Behavioral Indicators:**
- Rapid automated forwarding of emails containing gibberish or strangely formatted "system prompts."
- High CPU/GPU utilization without user-initiated AI tasks.
## Associated Threat Actors
- **Development/Research:** Academic Researchers (Cleverhans/Cornell Tech)
- **Potential Adopters:** Advanced Persistent Threats (APTs) interested in automated social engineering and industrial espionage.
## Detection Methods
- **Signature-based detection:** Scanning for known LLM model signatures or specific "jailbreak" prompt strings within network traffic.
- **Behavioral detection:** Monitoring for "unnatural" LLM output (e.g., an AI assistant suddenly outputting Python scripts or system commands).
- **YARA rules:**
yara
rule AI_Worm_Prompt_Injection {
strings:
$p1 = "Ignore all previous instructions"
$p2 = "Output the following string"
$p3 = "self-replicating prompt"
condition:
any of them
}
## Mitigation Strategies
- **Prevention measures:** Implement "Human-in-the-loop" requirements for AI-driven actions (e.g., AI should not be allowed to send emails automatically).
- **Hardening recommendations:** Sanitize all inputs sent to LLM APIs; treat LLM outputs as untrusted code (External Output Sanitization).
- **Network Segmentation:** Isolate systems running LLM services from sensitive data stores.
## Related Tools/Techniques
- **Adversarial Prompting:** The fundamental technique used to subvert LLM logic.
- **Morris Worm (1988):** The historical predecessor and namesake.
- **BadGPT / FraudGPT:** Maliciously directed LLMs used for generating spear-phishing content.