The new paper details the worm dubbed “Morris II,” which targets GenAI ecosystems through the use of adversarial self-replicating prompts, leading to GenAI systems delivering payloads to other agents.
Once unleashed, the worm is stored in the retrieval augmented generation (RAG) and move “passively” to new targets, without the attackers needing to do anything further – something the authors described “0-click propagation.”
A RAG application enables a GenAI model to query relevant data from additional sources like private documents when responding to questions and queries, providing more precise responses.
The researchers, from the Israel Institute of Technology, Intuit and Cornell Tech, said the work is designed to highlight the “threats associated with the GenAI-powered applications that are caused by the underlying GenAI layer.”
Three different GenAI models were used in the study to test the worm’s capabilities – Google’s Gemini Pro, OpenAI’s ChatGPT 4.0 and open-source large language model (LLM) LLaVA.
The effectiveness of the technique was evaluated according to two criteria – carrying out malicious activities and spreading to new hosts.