Team MeGaHeRTZ owned and exposed a warning from the webscene   for Reverse Engineers Dream (RED)   by Megahertz

---------------8<-------[CUT HERE]----------------------------------------------------- Releaser: Xylitol/RED WebScene warning: 02 September 2013 Before "MEGAHERTZ.EXPOSED.GATHERING.INTEL.ON.PEOPLE.REMOVE.THEM.V2013.READ.NFO-SNOWDEN" Attachement: SQL Dump of the lamers, 0day scene should know about this. ---------------8<-------[CUT HERE]----------------------------------------------------- Hey guys, i came across recently to a scene release done by team MeGaHeRTZ "Malwarebytes.Anti-Malware.Pro.v1.75.0.1300.Incl.Patch-MeGaHeRTZ" First time i hear of them... and after some search.. this team worry me. Their ethics are "misaligned" and the quality isn't really here. At first let's talk about the quality. I've searched a bit about this team and found a NFO of 2009: +-----------------------------------------------------------------------------+ ª __ __ _____ _ _ _____ _______ ______ ª ª | \/ | / ____| | | | | | __ \__ __|___ / ª ª | \ / | ___| | __ __ _| |_| | ___| |__) | | | / / ª ª | |\/| |/ _ \ | |_ |/ _` | _ |/ _ \ _ / | | / / ª ª | | | | __/ |__| | (_| | | | | __/ | \ \ | | / /__ ª ª |_| |_|\___|\_____|\__,_|_| |_|\___|_| \_\ |_| /_____| ª ª ª ª-----------------------------------------------------------------------------ª ª ReLeaSe iNFo ª ReLeaSe iNFo ª ª--------------------------------------+--------------------------------------ª ª SoFT NaMe ª iDailyDiary Professional v3.52 ª ª--------------------------------------+--------------------------------------ª ª uRL ª http://www.splinterware.com ª ª--------------------------------------+--------------------------------------ª ª WoRKeR ª ALAN^MeGaHeRTZ ª ª--------------------------------------+--------------------------------------ª ª ReLeaSe TYPe ª Cracked EXE ª ª--------------------------------------+--------------------------------------ª ª CRaCKiNG DaTe ª 2009/01/20 ª ª--------------------------------------+--------------------------------------ª ª SoFTWaRe iNFo ª SoFTWaRe iNFo ª ª-----------------------------------------------------------------------------ª ª iDailyDiary provides a simple interface that immediately ª ª gets you started taking daily notes, creating a journal, ª ª putting your thoughts into writing and much more. ª ª ª ª ª ª-----------------------------------------------------------------------------ª ª iNSTaLL NoTeS ª iNSTaLL NoTeS ª ª-----------------------------------------------------------------------------ª ª Install the Software ª ª Check if the Software *IS NOT* Running ª ª Use the *CRACK* button to Register ª ª ª ª ª ª-----------------------------------------------------------------------------ª ª MeGaHeRTZ TeaM ª MeGaHeRTZ TeaM ª ª--------------------------------------+--------------------------------------ª ª ALAN ª FouNDeR/CRaCKeR/CoDeR/WeB {aMY+PC} ª ª BaTMaN ª GFX {aMY+PC+MaC} ª ª BiLLY THe KiD ª WaReZ GaMeS+MoVie+XXX {PC} ª ª CoBRa ª WaReZ MoVie+GaMeS {PC+CoNSoLe} ª ª GuMP ª WeBDeSiGNeR {PC} ª ª LaZaRuS ª CoDeR {LiNuX} ª ª NeMBo KiD ª WaReZ MoVie+SoFT {PC} ª ª RiGeL ª WaReZ MoVie+GaMeS {PC} ª ª SHaDiNG ª CoDeR {LiNuX} ª ª SuBCuZZ ª CoDeR {PC} ª ª Toi ª WaReZ GaMeS {PC+CoNSoLe} ª ª ToYBoX MaN ª WaReZ MoVie+TooNS+XXX {PC} ª ª TuLiPaNo NeRo ª CoDeR+GFX {PC} ª ª ViCu ª WeBDeSiGNeR {PC+MaC} ª ª Y-PRoF ª CoDeR STuDeNT {PC+LiNuX} ª ª-----------------------------------------------------------------------------ª ª oLD MeGaHeRTZ TeaM / NoW ReTiReD ª oLD MeGaHeRTZ TeaM / NoW ReTiReD ª ª--------------------------------------+--------------------------------------ª ª aDiDaS ª WaReZ GaMeS+SoFT {aMY+PC} ª ª aNDRo ª WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ª ª CYBeRMaSTeR ª WaReZ GaMeS+SoFT {aMY+PC+MaC} ª ª DaNGeRouS ª WaReZ GaMeS {aMY} ª ª eNiGMa ª WaReZ GaMeS+SoFT {aMY+PC+MaC} ª ª GiaNX ª WaReZ GaMeS STuDeNT {aMY} ª ª HaWK ª GFX {PC} ª ª HYRoSHiMa ª WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ª ª KiNG WoLF ª WaReZ GaMeS STuDeNT {aMY} ª ª KYX ª WaReZ GaMeS+SoFT {aMY+PC+LiNuX} ª ª L-STYLe ª WaReZ GaMeS {aMY} ª ª LoRD MaRiaN ª WaReZ GaMeS {aMY} ª ª MaD MaX ª WaReZ GaMeS STuDeNT {PC} ª ª MaRaDoNa ª WaReZ GaMeS STuDeNT {C64} ª ª MiSTeR TaPPaRo ª WaReZ GaMeS {aMY+PC} ª ª MiSTeR X ª WaReZ SoFT {aMY+PC} ª ª SuKeBe ª WaReZ GaMeS {aMY} ª ª WaLCoM ª WaReZ SoFT {aMY+PC} ª ª XiaN ª WaReZ GaMeS+SoFT {aMY+PC+CoNSoLe} ª ª--------------------------------------+--------------------------------------ª ª CoNTaCTS ª CoNTaCTS ª ª--------------------------------------+--------------------------------------ª ª MaiL ª [email protected] ª ª WeBSiTe ª http://mhzgroup.true.ws ª ª MeSSeNGeR ª [email protected] ª ª--------------------------------------+--------------------------------------ª ª GReeTiNG ª GReeTiNG ª ª-----------------------------------------------------------------------------ª ª ACME - AGAiN - AGGRESSiON - ARN - ArTeam - Bidjan - CHiCNCREAM - C.O.R.E. ª ª CROSSFiRE - CRUDE - diGERATi - dT - ECLiPSE - f4cg - F.F.F. ª ª FOSI - ICU - iNFECTED - iNFERNO - LasH - LUCiD - Lz0 - MP2K - NiTROUS ª ª PARADOX - SCOTCH - SnD - SSG - RESURRECTiON - TMG - TSRh - UIC ª ª UnderPL - VDown - ViRiLITY - YAG - Z.W.T ª +-----------------------------------------------------------------------------+=n MeGaHeRTZ looks like a 0day group, i don't know with who they are affiliated but... Look at the NFO, seem it's a well structured group, i've searched and never see a video or a game release from them. After i don't know well the Italian scene so i'm not the best to talk about Italian groups. The only guys i've hear of is Rigel. (who moved to TSRh if i remember) Well, le'ts skip the member list part and see the "greetings" part. "AGGRESSiON - ARN" ARN is the acronyme of Agression so why they are in double ? And this chars at the end '=n' why did they have a sort of byte-order mark on the NFO an error maybe ? Let's have a look on the NFO of the concerned release now (Malwarebytes) _____ ________ ___ ___ _____________________________ / \ ____ / _____/_____ / | \ ____\_____ \__ ___/\____ / / \ / \_/ __ \/ \ ___\__ \ / ~ \_/ __ \| _/ | | / / / Y \ ___/\ \_\ \/ __ \\ Y /\ ___/| | \ | | / /_ \____|__ /\___ >\______ (____ /\___|_ / \___ >___|_ / |___ \ /_______ \ \/ \/ \/ \/ \/ \/ \/ \/ \/ *PRESENTS A NEW 0-DAY RELEASE* ________________________________________________________________________________ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» SoFT NaMe ........................... Malwarebytes.Anti-Malware.Pro.v1.75.0.1300 ReLeaSe-TyPe .............................................................. uTiL oS ...................................................................... WiNaLL WeBSiTe ........................................... http://www.malwarebytes.org/ CRaCKeD By............................................................. MoS 6510 CRaCK-TyPe ........................................................ *PaTCH V1.0* PuBLiSHeD oN ........................................................ 2013/04/16 DeSCRiPTioN: aCTiVeLy PRoTeCT aGaiNST aLL FoRMS oF MaLWaRe iMPRoVe youR PRoTeCTioN WiTHouT CHaNGiNG youR aV ReNoWNeD PRoTeCTioN aND CLeaNuP TeCHNoLoGieS TooL MoST ReCoMMeNDeD By TeCHS aND SuPeR uSeRS iNSTaLL NoTeS: 1) iNSTaLL *SoFTWaRe* aND iF aSK DoN'T RuN/ReBooT 2) MaKe SuRe THaT SoFTWaRe iS *NoT* RuNNiNG 3) eXeCuTe *MeGaHeRTZ* aND CLiCK oN *PaTCH* BuTToN ,ε+4 Simple, clean. ",ε+4" Same shit here, i don't know how they package their releases but they have a problem. Now after the sloppy NFOs we have the sloppy releases: MeGaHeRTZ is on the 0day scene.. that ok Did they even know the 0day scene rules ? "DVDFab.9.v9.0.2.6.Incl.Loader-MeGaHeRTZ" A Loader... are these guys serious ? this release got nuked for this. But it's a double fail: the release even don't work properly. (cant convert multiple audio tracks on blu ray ripping) Something weird: you can't close it (to close the release you need to successful path the application) Otherwise you have to kill the process... What's happend when you use their patch ? Users who use their releases are tracked for internal statistics. You don't believe me ? ok just read the strings: 0040BC2D . 50 PUSH EAX ; /pBufferSize 0040BC2E . 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; | 0040BC32 . 50 PUSH EAX ; |Buffer 0040BC33 . E8 92F40500 CALL 0046B0CA ; \GetComputerNameA 0040BC9E . 50 PUSH EAX ; /pBufCount 0040BC9F . 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; | 0040BCA3 . 50 PUSH EAX ; |Buffer 0040BCA4 . E8 5D240600 CALL 0046E106 Shits is parsed like this: ASCII "Malwarebytes Anti-Malware Pro v1.x | Computer name: 'XYL2K-E87171510' - User: 'Administrateur'" Then they replace the spaces by '%20' hex encode for web. ASCII "http://usages.kickme.to" Mail proc: 0040454C |. 68 90A84700 PUSH 47A890 ; ASCII "smtp.mail.yahoo.com" 00404551 |. E8 46890200 CALL 0042CE9C ; Dumped_.0042CE9C 00404556 |. 89C3 MOV EBX,EAX 00404558 |. 83FB 01 CMP EBX,1 0040455B |. 0F85 C4010000 JNZ 00404725 ; Dumped_.00404725 00404561 |. E8 6A010400 CALL 004446D0 ; Dumped_.004446D0 00404566 |. 50 PUSH EAX 00404567 |. 68 CBA74700 PUSH 47A7CB ; ASCII "alanmhz" 0040456C |. 68 30A04700 PUSH 47A030 ; ASCII "mhz_group_check" There is the same mail adress "[email protected]" on the MeGaHeRTZ NFO of 2009. And for the password 'alan'.. if you read the 2009 NFO this guys is the founder. ASCII "http://mhzgroup.altervista.org/usageupdate.php?soft=Malwarebytes Anti-Malware Pro&ver=v1.x" There is no backconnect facility, c&c and cie but... grabbing the pc name and current user for release tracking ? why ?! And the most dramatic thing it's that they don't know how to code properly in PHP... They are vulnerable to SQL injection, for a 0day team it's really lame. current database: 'my_megahertzng' current user: 'megahertzng@localhost' privilege: USAGE privilege: USAGE [*] information_schema [*] my_megahertzng Database: my_megahertzng [4 tables] +---------+ | release | | diary | | request | | uses | +---------+ Table: uses [4 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | build | varchar(50) | | id | int(11) | | softname | varchar(100) | | uses | int(11) | +----------+--------------+ Table: request [4 columns] +----------+--------------+ | Column | Type | +----------+--------------+ | user | varchar(50) | | note | varchar(200) | | softname | varchar(100) | | status | varchar(100) | +----------+--------------+ Table: diary [4 columns] +-----------+--------------+ | Column | Type | +-----------+--------------+ | date | date | | softname | varchar(100) | | softpatch | varchar(200) | | type | int(11) | +-----------+--------------+ Table: release [7 columns] +-----------+--------------+ | Column | Type | +-----------+--------------+ | date | date | | build | varchar(50) | | id | int(11) | | patch | varchar(50) | | requested | varchar(50) | | softhouse | varchar(50) | | softname | varchar(100) | +-----------+--------------+ I'm not here to do a dramascene, but people should know about this group and their 'tracked' releases. Last fun things is from MalwareBytes, they are know for adding signatures on keygens and patch, usually MalwareBytes do 'Dont.Steal.Our.Software' Malwarebytes.Anti-Malware.1.46.keygen-SND: Dont.Steal.Our.Software Malwarebytes.Anti-Malware.Pro.v1.75.0.1300.Incl.Patch-MeGaHeRTZ: Trojan.CallHome.Mhz