A preprint paper published Tuesday by a team from the University of Toronto, the University of Cambridge and elsewhere “outlines a fundamentally new threat: a worm that tailors attack strategies to each target it encounters,” according to the researchers. The paper describes how the team deployed an AI agent to act as a worm in a controlled, isolated network made up of Linux, Windows, and IoT devices and “with common corporate network vulnerabilities,” such as reused passwords. The agent was powered by an anonymous open source LLM.
Why is this insect so dangerous?
Unlike a traditional computer virus, which requires a human to be tricked into, for example, opening a file infected with malware, worms can infect devices entirely by exploiting security vulnerabilities and making copies of themselves along the way. They spread through a shared digital connection, such as a WiFi network, to find other vulnerable devices. And those were before the LLM boom: In 2017, the aptly titled WannaCry worm, allegedly created by government-backed North Korean hackers, spread to hundreds of thousands of devices spread across more than 150 countries. The malware held infected devices hostage until their owners paid a Bitcoin ransom.
The WannaCry fiasco and other worm incidents underlined the vulnerabilities that come with a globally interconnected digital ecosystem. But they could have been stopped relatively easily: WannaCry exploited a single security vulnerability that was quickly patched, ending any further spread. The University of Toronto team’s experimental worm, in contrast, is able to dynamically detect security flaws that are unique to each particular device it infects, thereby using a variety of tactics to propagate through the network.
It also parasitically drains the computing power of the devices, a problem, as the researchers point out in their paper, made more serious by the fact that those devices are now being built to support computationally expensive LLMs. Smartphones and laptops built for AI, in other words, provide abundant food for these types of bugs. “As consumer devices increasingly support LLM inference, the reasoning resources available to such adversaries grow accordingly,” the researchers write in a blog post explaining their work. This means that “every machine connected to the Internet is a potential target – if not for the data it contains, then as a launching pad for the next attack.”
The AI worm runs slower than a traditional worm, because at each point in its propagation path it needs to carefully examine possible points of entry to the next device; The researchers noted that it took about five days to infect half of the devices in the experimental network. But researchers warn that this timeframe will shorten as tools become more adept at making predictions and as AI models improve their ability to detect security flaws.
Cybersecurity professionals have been concerned about AI for years
The paper comes at a worrisome moment for the cybersecurity field, which is already trying to come to grips with the potential impacts of powerful new AI systems that are capable of discovering and exploiting security vulnerabilities on an unprecedented scale. In April, Anthropic announced that it had developed a model called Mythos, which it has gradually introduced to a small group of early testers in a test-and-control effort called Project Glasswing. The goal of that effort is to give the cybersecurity community an opportunity to explore how such a powerful system can be used to strengthen defense more than empower offense. A few weeks after the launch of Mythos, OpenAI launched its own model trained to detect cybersecurity vulnerabilities, called GPT-5.4-Cyber, and similarly shared it only with a limited group of early testers.
In a similar spirit, researchers at the University of Toronto said they have published the paper in hopes of alerting the global cybersecurity community to the new threat. They also noted that they consulted with government and scientific bodies beforehand to assess how best to make their findings available without empowering hackers. Along with the identification of the open source model used to power the worm, other key methodological details were removed from the published paper.
“We shared enough information to make the threat credible enough to warrant scientific investigation, without providing any blueprint that would enable abuse,” they wrote.
<a href