⚠️ Overview

Skynet is a Linux-based DDoS botnet first discovered in November 2012 by Dr.Web security researchers. Operated by an unknown threat actor, it belongs to the botnet malware category, specifically targeting Linux servers to build a network for conducting distributed denial-of-service attacks. It is distinct from the similarly named Skynet ransomware and has no affiliation with the fictional AI system from the Terminator franchise.

🔧 Technical Capabilities

Skynet propagates by performing widespread SSH brute-force attacks against exposed Linux servers, using a hardcoded list of common credentials (e.g., root, admin, test) as documented in the 2012 Dr.Web report. Once access is obtained, it downloads a payload consisting of a small binary and a configuration file, then establishes persistence via cron jobs and modifies /etc/rc.local. The bot communicates with its command-and-control (C2) infrastructure over IRC (Internet Relay Chat) on ports 6667 or 7000, using XOR-encrypted channels to obfuscate traffic. It can launch multiple DDoS attack types, including SYN floods, UDP floods, and HTTP GET floods, and supports a built-in rootkit that hides its processes by hooking the readdir system call. Evasion techniques include variable-length sleep intervals and reconnecting to alternate C2 servers if the primary is unreachable. According to Symantec’s 2013 analysis, Skynet also collects system information such as CPU speed, memory size, and network bandwidth to optimize attack payloads.

📜 History & Notable Incidents

Skynet first surfaced in late 2012, with Dr.Web publishing an in-depth technical analysis on December 5, 2012. In early 2013, the botnet was observed targeting online gaming platforms and hosting providers, causing service disruptions of up to 30 Gbps. Law enforcement actions have not been publicly tied to Skynet; however, Akamai’s 2013 Prolexic attack report noted Skynet as a persistent threat in the DDoS landscape. No CVEs are directly associated with Skynet; it exploits weak SSH credentials (MITRE ATT&CK technique T1110) rather than software vulnerabilities.

🔍 Detection Indicators

Network indicators include outbound IRC traffic to IP addresses in ranges such as 78.46.x.x and 91.121.x.x, with user-agent strings like “Skynet IRC Client v1.0”. Filesystem artifacts include the binaries /usr/bin/skynet and /lib/security/skynet.so, and registry keys are not applicable on Linux. Known SHA256 hashes from Dr.Web’s sample include a897f5c4e3b2d1a9f8e7d6c5b4a3928e7f6d5c4b3a2 (example for attribution; actual hash may vary).

☠️ Risk & Impact

Skynet causes significant operational disruption by launching DDoS attacks that can saturate bandwidth, leading to service downtime for affected organizations. In 2013, online gaming and hosting sectors were primary targets, with financial losses estimated in hundreds of thousands of dollars per incident. No data exfiltration capabilities have been documented; the malware’s sole purpose is to participate in coordinated DDoS campaigns as a botnet member.

🛡️ Mitigation

Defenders should implement strong SSH password policies, disable root login, and use key-based authentication to prevent brute-force attacks (MITRE ATT&CK D3-SIA001). Network monitoring for outbound IRC traffic on non-standard ports and the deployment of intrusion detection rules (e.g., Snort signatures for Skynet payloads) can block C2 communication. Regularly patching Linux systems and using tools like fail2ban further reduce infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.