So-Called Red Room Site: A Creepy Experience

red_prison_torture_room

Ah, the legend continues!  I’ve done several posts about the so-called “red rooms” that may or may not exist on the dark web, and it’s been an interesting process.  (I’m leaning toward not, by the way.)  For the newcomers, here are the previous entries:

Are Deep Web Red Rooms Real?

Is the Shadow Web a Reality? (Updated)

Dark Web Sites That *Claim* To Be Red Rooms

Red Rooms Finally Debunked Forever?

A Chat with the Directors of The Darkest Alley! (interview)

In the process, I’ve become more and more convinced that it would be extremely difficult, if not impossible, to host something like a red room on the dark web (Tor in particular).  Not only is livestreaming very difficult due to latency problems, but you would also have the problem of something like a live murder leaving behind evidence for law enforcement.

Nonetheless, in my research process, I’ve continued looking for sites that are labeled as red rooms, or sell themselves on the premise of being a red room.  I have come across several of those while hunting, and most seem to be scams.

Red Room #12589903

red room scam

The alleged “red room” site.

 

Most recently, I found yet another site with a similar premise, located at http://5xcds7yhgisfm6mu.onion/.  As you can see from the screenshot, it’s rather basic looking and gives very few details.  You had to contact them to get any other information.

Once again, out of curiosity, I contacted the site owner (or whomever) via the email address that was listed, and sent a PGP-encrypted message asking how to sign up.  He sent me back a PGP-encrypted message with details on what I had to do, and how much I had to pay, etc.

Now, here is the creepy part: the person who responded actually knew my real name.  That was enough to freak me out, at least a little bit.  I didn’t ask, but I was also concerned if he had any of my other personal information.

(Later, when he found out I was blogging about him, he spewed out a list of other personal info, like my wife’s name, the city I lived in, and several places that I frequent.  But you could honestly find those just by Googling me.)

It reminded me, at least slightly, of some of the “deep web” stories like the previously mentioned Horrifying Deep Web Stories: Why I Quit Hacking or 3 Disturbing Deep Web Stories by Mr. Nightmare.  And yes, I know that those are just stories,  but it was the possibility of someone finding out my real identity that was reminiscent of some of the stories.

His response to my first question, like most of the others, was that I had to pay 2.0 bitcoin (a.k.a. $1344.80) to gain access, and then to actually be the “master” of the show, I had to win an auction (similar to most of the other supposed red room sites).

Once you paid, supposedly, you would be given a username and password to simply access the site.  (You could only access the landing page without it.)

Invasion of Privacy??

panic-lots-you-just-got-hacked

So my question was – where did the guy get my name from?  Well, without asking directly, I had several theories.

When I had used my PGP key on the message I sent initially, it’s possible that my name was encoded into it somehow.  I actually find that less disturbing than some of the alternatives.

Beyond that, I combed through my system with various anti-malware tools, and came up with a few troubling findings.  One of them was a type of trojan (whose name I forget at the moment) that is specifically designed to steal login credentials and personal information.

I was able to remove it, but the question still remained – was that what gave away my name?  I still don’t know for certain, and I would feel more comfortable if I did.

Moral of the Story…

53865-bigthumbnail

So what have I learned from this?  I need to be more careful about whom I correspond with on the dark web, and when I do so, it’s imperative that I have all privacy and security protocols in place, and don’t do anything idiotic.  (Insert “I told you so” here.)

In the meantime, I’m still finding the process enjoyable, and believe it or not, I have learned a few things from my mistakes.

I hope you can, too.

 

 

Advertisements

Avira AntiVir Enhanced Protection = Virus!

 

I use several different computers, and yes, one of them is a PC.  And we all know that PCs tend to get the most malware and spyware.  They’re like the kid who’s always getting sick at school.

sick-computer-graphic

On that particular PC, I couldn’t shell out the cash to buy one of the best antivirus programs (like Kaspersky or Bitdefender), so I went with Avira, since its basic version was free.  It seems to get the job done most of the time (although on every gift-giving holiday, I swear it says, “Get your wife the gift of protection!” – which sounds wrong in so many ways).

Not long ago, I had some kind of “update” window pop up that appeared to be from Avira, and it looked very similar to the one above (but not identical).

Unfortunately, when I clicked on it, it redirected me to a clone Avira site that also looked similar to the real one.

Now, it would be easy to mistake this for the genuine Avira site , but there was another clue that tipped me off.  I would click links on harmless sites like WordPress Stats, and every link would lead me back to the so-called “Avira” site.  The fake site kept badgering me to download their “Pro” version, and did so in such an intrusive way that it didn’t seem real.

I wish I had a screenshot of the fake site just as a warning, but I don’t at the moment.  On the upside, I came across this screenshot of the fake database update window, which is quite similar to the one I saw:

avira-antivir-enhanced-protection-mode-virus-fake-database-update-screenshot

If you click on that, a red window will pop up that looks like this (or similar to it):

avira-antivir-enhanced-protection-mode-virus-window

At first, I admit I had been fooled.  Thus, I attempted to uninstall the real Avira program, thinking that it was just hounding me to do updates, but when I tried to do that, it wouldn’t even let me finish the uninstall process!

The program would get a few seconds into it, and then a window kept popping up that said, “Are you sure you want to uninstall?”  If you clicked yes, that would trigger the same redirect as above.  (That was the final straw, of course!)

Apparently, the malware my computer had “contracted” was called Avira AntiVir Enhanced Protection Mode, which mimics the Avira Antivirus program in quite a few ways, but is quite malicious.  On the bright side, it’s certainly not the worst malware in existence.

Get Rid of It…Please!!

So there are several steps to removing this particular type of malware, which can sometimes get a bit complicated.

If you want to remove it manually, here are two helpful guides: How to Remove Avira AntiVir Enhanced Protection Mode and How To Remove Avira AntiVir Enhanced Protection Mode Virus – Virus Removal.

According to the former:

a. Boot your PC into Safe Mode with Networking first, which prevents AntiVir from running at startup.  It will also make it much easier to delete all of the infected files.

XP: Avira AntiVir Enhanced Protection Mode executable path:

C:DocumentsandSettings%UserName%DownloadOTS.exe

C:Windows1rezerv.exe

C:Windowssystemup.exe

C:Windowssysdriver32.exe

 

Win 7 / Vista: Avira AntiVir Enhanced Protection Mode executable path:

C:Users%User Name%DownloadsOTS.exe

C:Windows1rezerv.exe

C:Windowssystemup.exe

C:Windowssysdriver32.exe

 

b. Browse to the file path locations mentioned above, and rename the files listed. After renaming them, you’ll need to reboot your PC so that you can stop the files from executing. Because they’ll no longer run at startup, it will be much easier to delete them all from your hard drive.

c. When searching for the file paths listed above, sort them by “last date modified,” so that you can easily find the ones that have been infected (and rename them).

d. Using the Windows Task Manager, locate and stop the running processes of the files connected to the Avira Antivir malware.  Select each one and hit “End Task” so that you can delete them easily.

e. Delete all the infected files from your hard drive.  Because you’ve stopped the processes from running, it should now be easy to delete them.

f. Run an antivirus scan to make sure that you’ve removed all the forms of malware that have infected you.  Chances are, other types of malware were included with the AntiVir virus (this is what happened to me!).  Pctechguide.com recommends Spyware Doctor with Antivirus, StopZilla, or Malwarebytes.  Make sure it’s a full system scan, and not the “quick scan” option!

And the Result Is??

I can vouch for the solutions these guys provided, because they worked on my computer – it seems to be running smoothly again!

One question is – where did this virus come from?  I don’t know, but I recall a site that I visited forced me to download a file of some kind, and the malware may have been embedded in that file.  I don’t know this for sure, but it’s reason enough to be more careful.

Sometimes you have to learn the hard way, right?  Well, thanks guys!

And for a bit of nostalgia, here’s the blue screen of death from Windows XP!!

Windows_XP_BSOD