DirectRevenue's dirty laundry is out of the closet and does it ever stink

Documents emerged today that reveal the just how deliberately DirectRevenue planned and executed the spyware attacks on users without regard for ethics, morals, right or wrong.

Two days ago DirectRevenue was hit with a lawsuit by New York State Attorney General Eliot Spitzer. The 76 page Affirmation of Justin Brookman (PDF) outlined the outrageous practices of DirectRevenue including evidence of their knowledge that the software was being installed without user consent, evidence showing DirectRevenue was closely monitoring anti-spyware sites, screenshots of example after example of misleading  and deceptive installation practices, how DirectRevenue frequently changed the names of files and processes to make it more difficult for users to identify and locate the spyware, modified file properties like date created to confuse users, how the company actually had a department named "Dark Arts" whose job was to "increase stealth" for spyware components, records of historical updates that showed "millions upon millions of instances where DirectRevenue remotely updated infected computers with new spyware" without giving notice to users of the updates.  It goes on and on.  It's almost unbelievable, really, to read the egregious practices DirectRevenue engaged in.

More documents emerged today that reveal just how deliberately DirectRevenue planned and executed the spyware attacks on users without regard for ethics, morals, right or wrong. Spyware researcher Ben Edelman obtained the Brookman Affirmation exhibits from the Attorney General's office and has posted them at his own site here.

The exhibits include copies of financial disclosures, from Exhibit 2.

Discloses revenues ($6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005). (4) Discloses revenues from installing other vendors' software ($4 million for January-October 2005). (4)

There are lists of business partners, distributors and installation counts by month and year, records of specific users, including users' IP addresses. The most fascinating exhibits are copies of internal memos and emails among management, like Exhibit 10 where they discuss their displeasure with a PCPitstop article criticizing their practices, Exhibit 13 where they discuss use of "torpedoes" to remove other companies' adware and spyware, Exhibit 19 where they admit that Direct Revenue "takes advantage of their [Microsoft's] vulnerability and poor design."

But that's still only the beginning,  It gets darker and uglier. Exhibit 28 is an internal email among DirectRevenue management where CTO Dan Doman says:

Aurora is pretty spooky software and we installed it as a recovery on a number of machines that had dead ad clients as well.

That email dated April 20, 2005, also talks about Webhelper and refers to him as "our stalker friend". Indeed, Webhelper, now known by his real name, Patrick Jordan, and his position as Senior Malware Researcher at Sunbelt Software, can stand and recite DirectRevenue's history from memory.  Jordan did a great service to users and the anti-spyware community by tracking DirectRevenue's spyware, domains, deceptive installations and so on for nearly 2 years. 

At least 3 other exhibits refer to Webhelper including Exhibit 113, an email that discusses a preliminary report from a security firm hired to investigate Jordan. The email mentions Jordan's location, his employer and an estimate of his age. What were they planning to do with the information about Jordan?  The email also states:

Once we get all the information together, perhaps a letter to his true home address showing that we know more about him will have some results.

That sounds to me like a suggestion of intimidation and/or threats.

Exhibit 5, referred to by SunbeltBLOG as the "Death Threat Archive" consists of email complaints from angry users victims.  The language might raise the hair on the back of your neck or send you into hysterical laughter. Outraged users victims wished death, and sometimes fates worse than death, upon DirectRevenue and in some cases their families. The "F" word is used repeatedly and then more.  Just about every swear word in the book is in those emails. Even worse, though, are DirectRevenue's responses that include a few jokes.

My own blog post about Aurora and nail.exe had an unprecedented number of comments, including threats of violence against DirectRevenue staff and facilities. I actually received a letter from a DirectRevenue attorney last June demanding I remove the violent comments. Instead of removing the comments, I edited out certain words, but the sentiments were still evident.

At present, Ben Edelman has posted 135 exhibits and Ben says there are more to come. I remarked earlier today that we in the anti-spyware community sensed the darkness (I actually used the word evil) of DirectRevenue's practices, and we saw the evidence of it in the HijackThis logs of thousands of users begging for help to remove the software, but the information in these exhibits clearly shows the darkness and corruption of DirectRevenue and their practices.

My fellow anti-spyware bloggers have had plenty to say today about these revelations. SunbeltBLOG says So much smoke, the gun is beyond smoking. Wayne Porter blogs about DirectRevenue's advertising partners and distributors and tells the new meaning of nail.exe

At VitalSecurity Paperghost has a few laughs, more than a few actually, at DirectRevenue's expense. See The art of stealth, using a pair of lollerskates, Comedy genius! Irony, I love thee! and Quick! Let's exploit Microsoft!!

I expect we'll see more on DirectRevenue in the next few days. Stay tuned.