Wired has an article about a proof of concept Facebook botnet. They also have Facebook’s response, which is pathetic and naive:
Facebook downplayed the attack, saying that any developer that could figure out how to make a successful application would make money other ways.
Seriously? Are you saying that botnets are run by unsuccessful developers? Try again. Are you saying that DDoS can’t be profitable? One word: blackmail.
But Facebook spokesman Barry Schnitt disputes the economics of the attack.“As a practical matter, it is not that easy to get an application with millions of users,” Schnitt said. “Why wouldn’t you get venture capital or make money with ad rather than use it to take down a website?”
The researchers chose to point the hidden attack at their own server, of course—but were surprised that more than 1,000 Facebook users installed the application, even though they only mentioned it to friends.
That led to a peak of 300 requests per hour and on its peak day, the traffic went above 6 Mbits per second.
They weren’t even trying to make it popular. Sigh. Optimism will only get you so far, Barry.
I can’t fault them for trying to downplay and stall and spin, though—this one’ll be tricky to fix. Anyone remember the Samy MySpace worm?