Blab Tech
University of Toronto Demonstrates AI-Powered Worm That Adapts to Targeted Devices
In a university lab, researchers from the University of Toronto unveiled a proof‑of‑concept worm that uses an open‑source large language model (LLM) to read a target network’s configuration and craft a custom attack plan on the fly.
During a seven‑day test, the autonomous malware compromised 73.8 % of a simulated environment that included Linux, Windows and Internet‑of‑Things (IoT) devices. Unlike classic worms such as the 2017 WannaCry ransomware, which latch onto a single, fixed vulnerability, this prototype queries the LLM to reason about each device’s unique setup. The worm is also self‑sustaining: it hijacks compute resources from infected machines to host the LLM, making the marginal cost of each new infection negligible for the attacker.
The research paper, released as a draft, documents the worm’s behavior in a controlled corporate network. The authors report that the malware identified an average of 31.3 vulnerabilities per host and reached 20.4 hosts out of a 33‑node virtual network. It exploited three publicly disclosed vulnerabilities that the LLM had not been trained on, proving that the agent can ingest real‑time threat intelligence and act on it before patches are applied.
Security leaders have weighed in on the implications. Mike Wilkes, chief information security officer at Aikido Security, said the work shows that if defenders can build such tools, attackers can too. He added that the threat is not new but represents an evolution of challenges already familiar to CISOs, such as automated malware and lateral movement.
Trevor Horwitz, CISO at TrustNet, echoed Wilkes but cautioned that the lab environment is far simpler than a real enterprise network. He noted that legacy systems, inconsistent configurations and partial visibility make widespread propagation more difficult in practice.
Martin Reynolds, field chief technology officer at Harness, emphasized that the significance lies in the potential for AI to accelerate and scale existing attack techniques. He said the research highlights the need for rapid vulnerability mitigation and robust segmentation.
Defenders are advised to focus on fundamentals rather than specialized “anti‑AI” products. Wilkes recommends continuous asset inventory, centralized logging, rapid detection and containment of anomalous behavior, and a dual‑path approach to vulnerability remediation: immediate mitigation for critical flaws and full patching within days. He also stresses the importance of eliminating default credentials, hardening machine‑to‑machine trust, and monitoring for abnormal GPU usage.
Horwitz agrees that these controls remain effective against AI‑powered threats, noting that the technology merely makes weak execution more costly for attackers.
At present, the worm exists only as a laboratory prototype. No evidence of a wild deployment has surfaced, and the researchers have not released a publicly available tool. The work underscores the growing capability of autonomous malware but also reinforces the value of established security practices.
The University of Toronto team plans to refine the prototype and explore its limits, while security vendors and CISOs continue to evaluate the threat landscape for AI‑driven attacks.
During a seven‑day test, the autonomous malware compromised 73.8 % of a simulated environment that included Linux, Windows and Internet‑of‑Things (IoT) devices. Unlike classic worms such as the 2017 WannaCry ransomware, which latch onto a single, fixed vulnerability, this prototype queries the LLM to reason about each device’s unique setup. The worm is also self‑sustaining: it hijacks compute resources from infected machines to host the LLM, making the marginal cost of each new infection negligible for the attacker.
The research paper, released as a draft, documents the worm’s behavior in a controlled corporate network. The authors report that the malware identified an average of 31.3 vulnerabilities per host and reached 20.4 hosts out of a 33‑node virtual network. It exploited three publicly disclosed vulnerabilities that the LLM had not been trained on, proving that the agent can ingest real‑time threat intelligence and act on it before patches are applied.
Security leaders have weighed in on the implications. Mike Wilkes, chief information security officer at Aikido Security, said the work shows that if defenders can build such tools, attackers can too. He added that the threat is not new but represents an evolution of challenges already familiar to CISOs, such as automated malware and lateral movement.
Trevor Horwitz, CISO at TrustNet, echoed Wilkes but cautioned that the lab environment is far simpler than a real enterprise network. He noted that legacy systems, inconsistent configurations and partial visibility make widespread propagation more difficult in practice.
Martin Reynolds, field chief technology officer at Harness, emphasized that the significance lies in the potential for AI to accelerate and scale existing attack techniques. He said the research highlights the need for rapid vulnerability mitigation and robust segmentation.
Defenders are advised to focus on fundamentals rather than specialized “anti‑AI” products. Wilkes recommends continuous asset inventory, centralized logging, rapid detection and containment of anomalous behavior, and a dual‑path approach to vulnerability remediation: immediate mitigation for critical flaws and full patching within days. He also stresses the importance of eliminating default credentials, hardening machine‑to‑machine trust, and monitoring for abnormal GPU usage.
Horwitz agrees that these controls remain effective against AI‑powered threats, noting that the technology merely makes weak execution more costly for attackers.
At present, the worm exists only as a laboratory prototype. No evidence of a wild deployment has surfaced, and the researchers have not released a publicly available tool. The work underscores the growing capability of autonomous malware but also reinforces the value of established security practices.
The University of Toronto team plans to refine the prototype and explore its limits, while security vendors and CISOs continue to evaluate the threat landscape for AI‑driven attacks.
