Here Comes The AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications

TL;DR

This paper reveals a new type of zero-click worm called Morris-II that exploits RAG-based inference in GenAI applications to propagate malicious actions, and proposes a guardrail to detect and prevent such worms effectively.

Contribution

It introduces Morris-II, a novel self-replicating prompt attack on GenAI ecosystems, and presents Virtual Donkey, an effective guardrail for worm detection and prevention.

Findings

Morris-II can successfully propagate malicious actions across GenAI applications.

Virtual Donkey achieves a 100% true-positive rate with minimal false positives.

The worm's performance depends on context size, prompt design, and propagation hops.

Abstract

In this paper, we show that when the communication between GenAI-powered applications relies on RAG-based inference, an attacker can initiate a computer worm-like chain reaction that we call Morris-II. This is done by crafting an adversarial self-replicating prompt that triggers a cascade of indirect prompt injections within the ecosystem and forces each affected application to perform malicious actions and compromise the RAG of additional applications. We evaluate the performance of the worm in creating a chain of confidential user data extraction within a GenAI ecosystem of GenAI-powered email assistants and analyze how the performance of the worm is affected by the size of the context, the adversarial self-replicating prompt used, the type and size of the embedding algorithm employed, and the number of hops in the propagation. Finally, we introduce the Virtual Donkey, a guardrail intended to detect and prevent the propagation of Morris-II with minimal latency, high accuracy, and a low false-positive rate. We evaluate the guardrail's performance and show that it yields a perfect true-positive rate of 1.0 with a false-positive rate of 0.015, and is robust against out-of-distribution worms, consisting of unseen jailbreaking commands, a different email dataset, and various worm usecases.