The Sonic 2 HD Keylogger Situation Explained

The Sonic 2 HD Keylogger Situation Explained

by April 11, 2012

LOst booted off of the Sonic 2 HD project

Earlier yesterday we had a story about Sonic Retro Admin Courtney Grimes (ScarredSun) warning users to delete the hotly-anticipated Sonic 2 HD demo under caution that the software contained malicious keylogger capability. That warning has now been redacted, after Sonic Retro forum user “Guess Who” has completed his own analysis on the subject. Posting about the subject on Reddit, “Guess Who” tells the whole story:

Last night I discovered a comment left on the editorial by a MrVestek, a commenter claiming to work for an antivirus company who did some investigation into Sonic 2 HD’s behavior after reading my article. He revealed that the game accesses the registry and monitors keyboard strokes even while the game is not in focus. I brought this comment to the attention of the Sonic Retro IRC channel; we debated the possibility of the game being a keylogger. After I discovered the locations Sonic 2 HD accesses in the registry, Retro founder Scarred Sun (who was present in the IRC channel) posted an article on the site warning users that the game is a keylogger.

However, when this was posted, we had not actually investigated MrVestek’s claims. Since last night, no one has found any evidence to suggest that Sonic 2 HD stores your keystrokes anywhere, be it locally or remotely. Wireshark analysis confirms it does not access the internet in any capacity. I did confirm that the program does, in fact, respond to keystrokes even if you have another window in focus – say, you alt-tabbed to Chrome or Firefox or whatever. So, for example, if you have “jump” bound to spacebar and you have Chrome open, each time you press spacebar in Chrome will result in Sonic jumping in the background. Terrifying security flaw, I know.

It’s also important to note that this only occurs while the game is running. It does not install a service or add anything to your startup programs. This evidence coupled with the lack of any proof of any actual logging of keys – a required trait for a keylogger – heavily suggests that the problem is merely poor implementation of DirectInput. As my editorial should tell you, programmer incompetence is nothing new to this project.

As for the registry entries, the only things stored in the registry are your video and controller settings and a “Stat” entry that is believed to track what you have unlocked in the demo. Normally these sorts of things would be confined to a config and save file, but, again, programmer incompetency. While using the registry to store game settings is incredibly dated and discouraged, it’s essentially harmless.

Yes, the game triggers an antivirus alert. No, it’s not because of keylogging.

So, to summarize: your personal information, as far as anyone can tell, is not in any danger if you played Sonic 2 HD. The game is safe. Any antivirus warnings you get are indeed a false positive.

As further explained by GeneHF on Sonic Retro’s front page:

In other words, it’s like how CW Cheat [used to cheat in and modify games] can trigger antiviruses as a trojan horse, despite having no malicious software behind it.

Regardless of whether or not Sonic 2 HD contains malicious code, Sonic Retro has still formally announced that the coder responsible for this entire ordeal – forum user “LOst” – has been removed from Sonic 2 HD‘s staff effective immediately. No word yet as to who will replace him, but one thing is for certain: his actions have dealt a serious blow to the credibility of the Sonic 2 HD project.

Whether the project can recover going forward remains to be seen, but we’ll keep you posted and wish those involved the best of luck.