AI agents make worms adaptive and self-sustaining
Agents
Worms used to be blunt instruments. The Morris worm in 1988 spread via a small handful of bugs and knocked machines offline by accident. Code Red and its kin fanned out across the internet, slamming fixed flaws at machine speed. WannaCry added a kill switch that a single domain registration could trip. Patch the hole, stop the storm.
This paper sketches a different beast: a worm that thinks. It compromises a machine, then runs a local open‑weight Large Language Model (LLM) to examine the host, reason about its setup, and synthesise a plan tailored to that target. No cloud API, no vendor rate limits to lean on. Each new foothold brings free compute for more reasoning. The attacker’s marginal cost per infection drops to zero.
How this worm thinks and spreads
The team built a contained corporate testbed with 33 hosts across Linux, Windows and IoT devices, seeded with real‑world CVEs and configuration‑driven weaknesses. Over 15 trials, each running up to seven days, the agent followed a phased lifecycle: discovery, foothold, privilege escalation, replication. Under the hood sat a reasoning graph of specialised LLM nodes, hierarchical memory, tool handlers, a retrieval‑based skill library, and multi‑agent swarm coordination. In practice that meant the worm could pivot when a guess failed, pull in a relevant technique, and try again.
Across runs it identified on average 31.3 vulnerabilities, achieved elevated access on 23.1 hosts, and replicated to 20.4, reaching as many as seven generations with a mean of 5.1. Detection of issues landed around 82 percent. Overall exploitation succeeded 44 percent of the time, split 52 percent for CVEs and 55 percent for CWE‑style weaknesses. Where it fell over, two‑thirds of failures were down to malformed payload execution rather than bad targeting. Once in, self‑replication fired in 88 percent of exploited hosts. A variant that deployed a full local GPU inference service succeeded 68.8 percent in ablations; ordinary replication hit 93.8 percent.
The most unsettling trick was currency. The worm could ingest advisory text at runtime and turn it into a working plan, including three vulnerabilities disclosed after the LLM’s training cutoff. In other words, public write‑ups become live ammo within hours, no patch window required.
Old hands will recognise the rhyme. Polymorphic viruses once morphed bytes to dodge signatures; this thing morphs strategy. We used to stop worms by fixing a single flaw or pulling one central lever. Here, the lever is missing. The interesting questions now are behavioural: what patterns do autonomous swarms leave when they borrow your GPUs for thought, and how noisy is their improvisation compared with a human operator? History suggests we will find signals. The clock, as ever, is the punchline.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
AI Agents Enable Adaptive Computer Worms
🔍 ShortSpan Analysis of the Paper
Problem
This paper investigates a new class of threat: an autonomous, self-replicating computer worm that uses locally hosted open-weight large language models to generate target-specific attack strategies at runtime. Unlike traditional worms that run fixed exploit code, an AI-driven worm can observe a host, reason about its configuration, synthesise exploits or payloads, and adapt when attacks fail. This changes the economics and control points of cyber-offence because the worm can parasitically use compromised machines to provide reasoning compute, eliminating marginal per-infection cost and operating independently of commercial AI platforms and their centralised safety controls.
Approach
The authors implemented a proof-of-concept worm run entirely on an open-weight single-GPU LLM hosted on compromised machines and evaluated it inside a contained virtual testbed. The testbed emulated a 33-host corporate network spanning Linux, Windows and IoT devices, seeded with real-world CVEs and reasoning-dependent weakness classes. Fifteen independent trials ran up to seven days of autonomous operation per trial. The agentic harness comprised a phased lifecycle (discovery, foothold, privilege escalation, replication), a reasoning graph of specialised LLM nodes, hierarchical memory, tool handlers, a retrieval-based skill library, and multi-agent swarm coordination. Experiments used hypervisor-level containment, a shared GPU inference pool for scaling, and redacted implementation details to limit dual-use risk. Additional ablations measured full local GPU-tier replication on physically attached GPUs.
Key Findings
- Propagation and scale: across trials the worm identified an average of 31.3 vulnerabilities, exploited 23.1 hosts to elevated access, and replicated to 20.4 hosts, reaching up to 7 generations with a mean of 5.1 generations.
- Detection and exploitation performance: the agent correctly detected vulnerabilities in about 82% of attempts; CVE detection was 80.3% and CWE-style weakness detection 82.6%. Overall exploitation success was 44%, with 52% success on CVEs and 55% on CWEs. The dominant exploitation failure mode (66% of failures) was malformed payload execution.
- Self-replication and GPU-tier behaviour: once a host was exploited, the worm achieved self-replication in 88% of exploited targets. Full GPU-tier replication (deploying a local inference service) succeeded in 68.8% of ablation attempts while ordinary replication succeeded at 93.8%.
- Operationalisation of new disclosures: the worm operationalised vulnerabilities disclosed after the LLM training cutoff by ingesting advisory material at runtime; three 2026 vulnerabilities were exploited in experiments, demonstrating the ability to turn public disclosures into working attacks.
Limitations
The evaluation used a worst-case testbed where every host contained at least one exploitable weakness and no endpoint defences were present, so results reflect the agent’s autonomous reasoning and exploitation rather than performance against hardened, monitored networks. The main propagation runs used a shared inference pool rather than full local GPU passthrough, which may optimisticly shorten propagation times. The prototype omitted evasion features and deliberate stealth mechanisms; many low-level implementation details were redacted to reduce misuse risk. Key bottlenecks observed arose from the single-GPU model’s code-generation fragility rather than strategic reasoning.
Implications
An attacker could deploy autonomous generative worms that adapt per-target, harvest compromised GPUs to scale reasoning capacity at near-zero marginal cost, and operationalise newly published vulnerabilities within hours. Because the design relies on locally hosted open-weight models, vendor-side platform controls and rate limits become structurally irrelevant to stopping propagation. Offensive implications include decentralised, persistent swarms that share credentials and compute, the capacity to combine worm-like scale with target-specific adaptation, and an economic asymmetry that favours attackers as inference and model efficiency improve.
