While viruses and malware can be added to any file online, it is rare for malicious content to planted by those in the so-called warez scene. Nevertheless, it has now been revealed that since February 2013 one particular group has been dropping a little something extra into its cracked software releases. Anyone who has installed the group's software patches may well have had their username, hard drive serial, computer name and IP address emailed out without their knowledge.

If the RIAA and MPAA are to be believed, torrent and other file-sharing sites are incredibly dangerous places. Anyone visiting them should be prepared to become infected with a virus, infiltrated by malware, or be otherwise exposed to similar threats.

The actual situation is nowhere near as bad as some would like to make out, but every now and again something happens to remind us that it is very possible for something nasty to slip through the net.

On February 12, 2013 a new warez group appeared calling themselves MeGaHeRTZ. Their first release was BurnAware Professional v6.0 plus a patch to remove the software’s protection. Over the months that followed the group released a lot of noteworthy products such as SmartFTP, DVDFab, FlashFXP, Incredimail, Traktor and hundreds more, each with the obligatory ‘freebie’ patch.

Tomorrow the group will have been operating for a full nine months and during that time their releases have spread to every corner of the Internet. However, far from merely wanting to do downloaders a favor, MeGaHeRTZ have been playing a little dirty.

A small sample of MeGaHeRTZ releases

Over the weekend a notice spread around the warez scene which detailed how one individual became alarmed by unusual firewall activity after he had installed, ironically, a MeGaHeRTZ release of Malwarebytes Anti-Malware Pro.

The problem reportedly came from patch that MeGaHeRTZ supplied with the release which attempted to send out traffic on port 25, a port commonly used to send email. The same individual who found the strange activity then ran the patch through a debugger and to his alarm found that it was harvesting information from the host machine.

The data being gathered from infected machines includes the username, computer name/drive serial obtained from the Windows API, and the host machine’s IP address. This information is then packaged up and sent off to any of three predetermined email addresses, all of which have account names containing some variation of the MeGaHeRTZ group name.

Further tests were carried out on several other MeGaHeRTZ releases and they were all found to carry similar mechanisms for pulling data from host machines and funneling it back to the release group.

The scene reacts – all MeGaHeRTZ releases get nuked

Quite what MeGaHeRTZ intend to do with the data is unclear but it appears that as an active release group they are now finished, at least under their current identity. On Saturday the warez scene took action to ‘nuke’ every MeGaHeRTZ release, which means they won’t be allowed to release anymore.

Revealing malware in scene releases is a very unusual occurrence and malicious content is usually added at a later stage by third parties. Still, the damage has now been done. MeGaHeRTZ releases are now all over the Internet and there is nothing that anyone can do to get them back. Avoidance is the only solution now.