Accuracy of Original S2HD Keylogging Report Questioned

Accuracy of Original S2HD Keylogging Report Questioned

by April 10, 2012

Both Sides of an SFG’s Fall From Grace

As this day has progressed, and word of an alleged malicious keylogger embedded in the alpha release of Sonic 2 HD and its consequences have spread like wildfire, there have been an increasing number of individuals that questioned the original report that set off the firestorm; that from Sonic Retro webmaster Courtney Grimes.

Grimes was the first to claim a keylogger was embedded in the alpha earlier this morning on Sonic Retro’s front page.  Word quickly spread to many major websites like Kotaku, and that included a write-up on this site.  Grimes cited “a professional antivirus employee” relaying the information, but did not specify who that employee is or what exactly prompted the alert on his or her end.  Grimes also cited “independent tests” in the alert, but did not specify what those tests consisted of.

The most damning among the dissenters comes in a post to, where Sonic Retro forumer Guess Who posts as caramelpolice, reveals the original source of the information, and alleges that information was only investigated through a brief IRC discussion.  Guess Who also explains, in detail, why he believes the alleged keylogging mechanism is harmless:

Last night I discovered a comment left on the editorial by a MrVestek, a commenter claiming to work for an antivirus company who did some investigation into Sonic 2 HD’s behavior after reading my article. He revealed that the game accesses the registry and monitors keyboard strokes even while the game is not in focus. I brought this comment to the attention of the Sonic Retro IRC channel; we debated the possibility of the game being a keylogger. After I discovered the locations Sonic 2 HD accesses in the registry, Retro founder Scarred Sun (who was present in the IRC channel) posted an article on the site warning users that the game is a keylogger.

However, when this was posted, we had not actually investigated MrVestek’s claims. Since last night, no one has found any evidence to suggest that Sonic 2 HD stores your keystrokes anywhere, be it locally or remotely. Wireshark analysis confirms it does not access the internet in any capacity. I did confirm that the program does, in fact, respond to keystrokes even if you have another window in focus – say, you alt-tabbed to Chrome or Firefox or whatever. So, for example, if you have “jump” bound to spacebar and you have Chrome open, each time you press spacebar in Chrome will result in Sonic jumping in the background. Terrifying security flaw, I know. This only occurs if you use DirectInput for input. Opting to use the raw keyboard option eliminates the behavior, hinting that the problem may be an oversight with DirectInput. Moreover, the game also responds to button presses on a controller configured with DirectInput even when another window is in focus (if anyone can come up with a malicious reason for a program to log your 360 controller button presses, please, let me know). It’s also important to note that this only occurs while the game is running. It does not install a service or add anything to your startup programs. This evidence coupled with the lack of any proof of any actual logging of keys – a required trait for a keylogger – heavily suggests that the problem is merely poor implementation of DirectInput. As my editorial should tell you, programmer incompetence is nothing new to this project.

As for the registry entries, the only things stored in the registry are your video and controller settings and a “Stat” entry that is believed to track what you have unlocked in the demo. Normally these sorts of things would be confined to a config and save file, but, again, programmer incompetency. While using the registry to store game settings is incredibly dated and discouraged, it’s essentially harmless.

Yes, the game triggers an antivirus alert. No, it’s not because of keylogging. As I mentioned in my editorial, the game’s executable is packed and obfuscated to deter reverse engineers. Trojans often utilize the same tactic to hide malicious code. The fact that this compression sets off antivirus software is confirmed by Avira. AntiVir detects the game as “TR/Crypt.XPACK.Gen”, whose description reads:

In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

VirusTotal, an online service that checks a program against multiple antivirus programs, vouches for this – not a single antivirus program detects the game as a keylogger. If you’re wondering why the executable is packed and obfuscated to begin with, it’s not because it is malicious. The programmer, LOst, has a severe case of paranoia and does not want Sonic Retro members to reverse engineer his engine (refer to my editorial for the absurdity and hypocrisy in this).

So, to summarize: your personal information, as far as anyone can tell, is not in any danger if you played Sonic 2 HD. The game is safe. Any antivirus warnings you get are indeed a false positive.

That message aligns with one of another well respected Retro community member, Polygon Jim, who posted in more blunt terms to Retro’s S2HD thread earlier today:

You can turn off this “keylogger” in the options. It’s a fucking DInput bug because LOst is a terrible programmer and should not be behind a large project like this. Now can we all shut the fuck up about it being a keylogger and try to fix the damage SS’s stupid-ass article did to the project?

Here is the murky part: If true, that damage could have been amended, but wasn’t.  Guess Who also alleged in a follow up comment on his Reddit post that when he approached Grimes about the issue, she appeared unwilling to amend her original story:

I’ve discussed the issue with Scarred Sun; she did not appear to care whether or not a keylogger was present and described my arguments against it as autistic. I’m not staff at Retro, just a longtime member, so there’s not much I can do except try to spread the word myself.

On the other hand, there is what we’ve independently learned today.  TSSZ has heard from two of our readers, and they alleged only after they downloaded the S2HD alpha build did they notice strange activity–anything from computer slowdown and wipeouts to personal accounts being compromised.

The former complaint was submitted to us first via a comment from reader Sawnik98:

I downloaded it the other day. Excellent game. The next day, I turn on my PC and not only did I have to wait 55 minutes (not exaggerating) for it to get to the welcome screen, but it turns out that every single file I own has been deleted. To add insult to injury, my once relatively speedy computer takes a few minutes to open the freaking start menu. So I’m having to type this comment on my PS3. I’ve come to think that S2HD may be the cause, but from the back of my head, I don’t recall keyloggers doing damage to this extent.

The latter comes to us from iK3ViN, and he tells us via a news tip several of his online accounts were compromised after downloading the alpha:

I found out that the first zone of Sonic 2 HD was released to try out. So I downloaded it, and played it. After I played it, I decided to go to bed. I woke up and tried accessing my Facebook. My password was changed at 2am. I tried getting into my e-mail, and that too was changed. I finally managed to get a hold of the Hotmail team, and I was able to change my password.

Everything that I logged into that day, was hacked and the passwords were changed. They tried changing all of my Netflix information, where my credit card numbers are; as well as trying to get my information from my Twitter, Tumblr, and even decided to change the password to my Minecraft account.

I know it must have something to do with Sonic 2 HD, because my security settings are excellent. You would actually NEED my password to get into my accounts. I’ve never been hacked at all, until the morning after I downloaded and played Sonic 2 HD.

We’ve asked Sawnik98 to perform some tests on his machine to determine whether it was compromised from an outside source, and we are waiting to hear back on those results to see if there’s any pattern or corroboration.

Whether Grimes initially jumped the gun or acted out of caution for the large audience she and her staff serves, the damage is clearly done, and no amendment to a headline, necessary or not, will change that.  Most agree the Sonic fan game project, in its current form, will never recover from the body of negative publicity endured the past two weeks.  A whole other can of worms may be opened if Grimes indeed ignored information that would have tempered the concern aired this morning, and if that is the case, it would be the latest in a series of public mishaps for Sonic Retro from recent months and years.

We will continue to follow developments.