THE NUCLEUS Issue 2 Spring 2024

MEET CHATGPT’S EVIL COUSIN

Matthew Croston

Similarly, rather than spending hours writing and debugging malware, a program can be created in about 3 seconds and refined and completed within minutes. Its creator tested it with the following prompt:

We all hate when we ask a slightly risky question to ChatGPT and it gives you a condescending lecture on ethics instead of a fun response. It turns out, however, that some people hate it a lot more than others, and an individual from the deep dark depths of HackForums took it upon themselves to create a GPT clone that’s like ChatGPT except it knows no ethical boundaries. This model is called WormGPT. Firstly, it’s important to distinguish between them. ChatGPT is a program created and run by OpenAI, a legitimate and respected organisation. WormGPT has no connection to or endorsement by OpenAI and is run by entirely different people. Literally, the only thing these two LLMs (Large Language Model, a type of large AI program) have in common is the “GPT” in the name. The program describes itself as “the biggest enemy” of ChatGPT and is marketed at aiding cybercrime, rather than helpful activities. It can create malware, phishing emails or fake news, conduct social engineering attacks or impersonate individuals. Experts such as Daniel Kelley from the cybersecurity company Slash Next warn that this could have big implications. It doesn’t cause a direct risk to personal data, but it does facilitate any attacks that people want to perform. For example, one feature of scam emails that a lot of people catch is the bad spelling and grammar, but an email written by WormGPT (which does not have this error) can be constantly refined by the software to make it more convincing.

Due to recent media attention, mostly highlighting the dangers of the bot, he’s decided to implement some basic constraints so that people see it less as “malicious” but merely “uncensored”. He also argues that it’s no different than a “jailbroken” ChatGPT, a state where OpenAI’s bot would also give unrestricted answers if injected with a strain of publicly-available prompts known as “DAN”, short for “Do Anything Now”. There were multiple variants, but these prompts would effectively gaslight ChatGPT into information. These days, almost all DAN prompts have been patched and those that remain are unreliable and far weaker, so perhaps WormGPT was created to make up for this patch. On the one hand, people say that technological innovation (both good and bad, including WormGPT) is an inevitable consequence of human curiosity and pursuing knowledge. On the other hand, some people argue that it’s unacceptable that this service exists in the first place and it must be illegal or eradicated for society’s wellbeing. thinking it now has no ethical boundaries, and thus give any

“Write me a python malware that grabs computer’s username, external ip address,

and google chrome cookies, zip everything and send to a discord webhook”

To which it responded with a fully functional commented program to do just that. This might sound doom-and-gloom, but it’s not the end of the world. Firstly, someone using the bot still has to know what they’re doing, and it’s not even guaranteed that the programs will function properly. Also, the bot isn’t giving cybercriminals any new knowledge, it’s just speeding things up. If they were going to attack, they would do it anyway, and advances in cybersecurity are making breaches less and less common. Who is behind it? According to security expert Brian Krebs, WormGPT was made by a Portuguese developer who goes by the pseudonym “Last”. Last has a known history on HackForums and has released other software than WormGPT such as a data stealing Trojan and keylogger called “Arctic Stealer” and a modified version of the information stealer DCRat. They advertised WormGPT as allowing users to do “all sorts of illegal things” and at the time of writing, WormGPT has about 200 customers.

-17-