Both Sides of an SFG’s Fall From Grace
As this day has progressed, and word of an alleged malicious keylogger embedded in the alpha release of Sonic 2 HD and its consequences have spread like wildfire, there have been an increasing number of individuals that questioned the original report that set off the firestorm; that from Sonic Retro webmaster Courtney Grimes.
Grimes was the first to claim a keylogger was embedded in the alpha earlier this morning on Sonic Retro’s front page. Word quickly spread to many major websites like Kotaku, and that included a write-up on this site. Grimes cited “a professional antivirus employee” relaying the information, but did not specify who that employee is or what exactly prompted the alert on his or her end. Grimes also cited “independent tests” in the alert, but did not specify what those tests consisted of.
The most damning among the dissenters comes in a post to Reddit.com, where Sonic Retro forumer Guess Who posts as caramelpolice, reveals the original source of the information, and alleges that information was only investigated through a brief IRC discussion. Guess Who also explains, in detail, why he believes the alleged keylogging mechanism is harmless:
Last night I discovered a comment left on the editorial by a MrVestek, a commenter claiming to work for an antivirus company who did some investigation into Sonic 2 HD’s behavior after reading my article. He revealed that the game accesses the registry and monitors keyboard strokes even while the game is not in focus. I brought this comment to the attention of the Sonic Retro IRC channel; we debated the possibility of the game being a keylogger. After I discovered the locations Sonic 2 HD accesses in the registry, Retro founder Scarred Sun (who was present in the IRC channel) posted an article on the site warning users that the game is a keylogger.
However, when this was posted, we had not actually investigated MrVestek’s claims. Since last night, no one has found any evidence to suggest that Sonic 2 HD stores your keystrokes anywhere, be it locally or remotely. Wireshark analysis confirms it does not access the internet in any capacity. I did confirm that the program does, in fact, respond to keystrokes even if you have another window in focus – say, you alt-tabbed to Chrome or Firefox or whatever. So, for example, if you have “jump” bound to spacebar and you have Chrome open, each time you press spacebar in Chrome will result in Sonic jumping in the background. Terrifying security flaw, I know. This only occurs if you use DirectInput for input. Opting to use the raw keyboard option eliminates the behavior, hinting that the problem may be an oversight with DirectInput. Moreover, the game also responds to button presses on a controller configured with DirectInput even when another window is in focus (if anyone can come up with a malicious reason for a program to log your 360 controller button presses, please, let me know). It’s also important to note that this only occurs while the game is running. It does not install a service or add anything to your startup programs. This evidence coupled with the lack of any proof of any actual logging of keys – a required trait for a keylogger – heavily suggests that the problem is merely poor implementation of DirectInput. As my editorial should tell you, programmer incompetence is nothing new to this project.
As for the registry entries, the only things stored in the registry are your video and controller settings and a “Stat” entry that is believed to track what you have unlocked in the demo. Normally these sorts of things would be confined to a config and save file, but, again, programmer incompetency. While using the registry to store game settings is incredibly dated and discouraged, it’s essentially harmless.
Yes, the game triggers an antivirus alert. No, it’s not because of keylogging. As I mentioned in my editorial, the game’s executable is packed and obfuscated to deter reverse engineers. Trojans often utilize the same tactic to hide malicious code. The fact that this compression sets off antivirus software is confirmed by Avira. AntiVir detects the game as “TR/Crypt.XPACK.Gen”, whose description reads:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
VirusTotal, an online service that checks a program against multiple antivirus programs, vouches for this – not a single antivirus program detects the game as a keylogger. If you’re wondering why the executable is packed and obfuscated to begin with, it’s not because it is malicious. The programmer, LOst, has a severe case of paranoia and does not want Sonic Retro members to reverse engineer his engine (refer to my editorial for the absurdity and hypocrisy in this).
So, to summarize: your personal information, as far as anyone can tell, is not in any danger if you played Sonic 2 HD. The game is safe. Any antivirus warnings you get are indeed a false positive.
That message aligns with one of another well respected Retro community member, Polygon Jim, who posted in more blunt terms to Retro’s S2HD thread earlier today:
You can turn off this “keylogger” in the options. It’s a fucking DInput bug because LOst is a terrible programmer and should not be behind a large project like this. Now can we all shut the fuck up about it being a keylogger and try to fix the damage SS’s stupid-ass article did to the project?
Here is the murky part: If true, that damage could have been amended, but wasn’t. Guess Who also alleged in a follow up comment on his Reddit post that when he approached Grimes about the issue, she appeared unwilling to amend her original story:
I’ve discussed the issue with Scarred Sun; she did not appear to care whether or not a keylogger was present and described my arguments against it as autistic. I’m not staff at Retro, just a longtime member, so there’s not much I can do except try to spread the word myself.
On the other hand, there is what we’ve independently learned today. TSSZ has heard from two of our readers, and they alleged only after they downloaded the S2HD alpha build did they notice strange activity–anything from computer slowdown and wipeouts to personal accounts being compromised.
The former complaint was submitted to us first via a comment from reader Sawnik98:
I downloaded it the other day. Excellent game. The next day, I turn on my PC and not only did I have to wait 55 minutes (not exaggerating) for it to get to the welcome screen, but it turns out that every single file I own has been deleted. To add insult to injury, my once relatively speedy computer takes a few minutes to open the freaking start menu. So I’m having to type this comment on my PS3. I’ve come to think that S2HD may be the cause, but from the back of my head, I don’t recall keyloggers doing damage to this extent.
The latter comes to us from iK3ViN, and he tells us via a news tip several of his online accounts were compromised after downloading the alpha:
I found out that the first zone of Sonic 2 HD was released to try out. So I downloaded it, and played it. After I played it, I decided to go to bed. I woke up and tried accessing my Facebook. My password was changed at 2am. I tried getting into my e-mail, and that too was changed. I finally managed to get a hold of the Hotmail team, and I was able to change my password.
Everything that I logged into that day, was hacked and the passwords were changed. They tried changing all of my Netflix information, where my credit card numbers are; as well as trying to get my information from my Twitter, Tumblr, and even decided to change the password to my Minecraft account.
I know it must have something to do with Sonic 2 HD, because my security settings are excellent. You would actually NEED my password to get into my accounts. I’ve never been hacked at all, until the morning after I downloaded and played Sonic 2 HD.
We’ve asked Sawnik98 to perform some tests on his machine to determine whether it was compromised from an outside source, and we are waiting to hear back on those results to see if there’s any pattern or corroboration.
Whether Grimes initially jumped the gun or acted out of caution for the large audience she and her staff serves, the damage is clearly done, and no amendment to a headline, necessary or not, will change that. Most agree the Sonic fan game project, in its current form, will never recover from the body of negative publicity endured the past two weeks. A whole other can of worms may be opened if Grimes indeed ignored information that would have tempered the concern aired this morning, and if that is the case, it would be the latest in a series of public mishaps for Sonic Retro from recent months and years.
We will continue to follow developments.
Loading ...
WOOT! My Kevin is all grown up and in a news article! XD
But this is also bad news so… no woot :c
The only remaining question now is was LOst let go from the team because he programmed this so terribly that it simulated a keylogger or because he was planning something? If it’s the first…I see no reason why this can’t recover…accidents happen people, and the important thing to remember is that no bit of this project is official and operating under no budget..meaning they have no professional QA and Test team. Smart ideas on my end however….played with a 360 controller…what makes us feel better? “Wireshark analysis confirms it does not access the internet in any capacity.”
@cdrom: Even if it is the first, it’ll be hard for this to recover because this spread EVERYWHERE on the internet. People who never knew S2HD existed before are now aware of the project and have been informed, properly or not, that it records keys, and those news reports don’t seem to have looked into the whole ordeal deeply enough to see that LOst was already a problem and the whole thing was basically his fault. So, all the people who read that now think the entire team is at fault, possibly think that the entire thing was meant as a virus, and no amount of explaining will be able to sway some of their opinions, especially those who don’t bother to look any further into this.
@Oblivion4568238
Well…unfortunately that’s their loss…this project is non-profit to begin with and the people that truly care to listen to the full explanation can still enjoy the final result.
It’s already too late, a lot of damage has been done. LOst is out of it for good, S2HD might as well be dead as it stands now (See Oblivion4568238′s comment), and Retro’s reputation has been tarnished for two things:
1) Something that is entirely out of their control. Retro ONCE was a part of this (former) community project, but it defected from there and became its own independent developing project. They had nothing to to with the debacle right now in that specific light, but their former association with it has been overplayed at this point. I’ve got to give them that.
2) That said, there is the fact that Retro first reported this. Yes, I know, we all have to thank that first Retro article to bring to light of this issue, since they are well associated with the moreover hardcore programmers, legit game makers, and code writers (and apparently a not-yet-named antivirus professional). Her report inadvertently further associated Retro with the project despite the defection some time ago. The best thing right now is for ScarredSun to retract her statement publicly(Which is a good and solid policy in TSSZ News, we have to give you that, T) and/or write something appropriate in the forums after a proper and thorough investigation of what the full issue is about before saying anything else.
I find it disappointing that, despite this project’s complete independence, Retro yet again finds a way to get itself into a rut. And it involves ScarredSun.
To concede, nearly every fan website always has its highs and lows. Especially that of our top 4 Sonic sites
Oh baw haw. Never recover my ass. If SEGA can still sell Sonic games after all the shit they’ve pulled and put Sonic through, I’m pretty sure a game like S2HD can survive a little negative publicity that was quickly put to rest.
Pretty sure all that would ever need to happen to “revive” this project allegedly shattered reputation (pffft) is a new demo with more levels and an article or two that says “there was shit that happened, and a few miscommunications that were blown out of proportion, but that’s all in the past and has been dealt with since”. We’ll all shit our pants with excitement and forget (or willfully ignore) that this ever happened, and you god damn know it.
This article ought to have the Drama header, my God.
Background input? Lol Dolphin has that feature.