How a 50-Year-Old ‘Finger’ Command Became a Hacker’s Favorite Tool
A software tool that has actually been almost forgotten is currently experiencing an unexpected comeback, albeit in a negative sense. Criminals are increasingly relying on the ancient “finger” command to execute malicious code on Windows computers.
Central element in ClickFix meshes
The Finger service was originally used to retrieve basic information about other users on Unix and later also Windows systems. Today it is considered uncommon, but is still supported by most operating systems and is consequently also exploited by attackers.
Security researchers have recently observed several campaigns that use the Finger service as a transport route for malicious code, as colleagues at Bleeping computers report. These attacks seem to appear particularly frequently in the context of so-called “ClickFix” scams, in which users are tricked into manually executing seemingly harmless commands.
An example made the rounds on Reddit a few days ago: A user reported that he had fallen for a fake Captcha query and executed the command specified there in the Windows command prompt. Behind this was a finger call, the output of which was forwarded directly to cmd.exe. This trick is used to reload any code and execute it immediately. Analyzes show that the finger answers retrieved in this way often contain scripts that first create a temporary directory, rename system tools such as “curl” and then download malware from prepared servers. In one documented case, a supposed PDF archive was unpacked that actually contained a Python module with spying capabilities.
Close port 79
Other variants delivered the remote maintenance Trojan NetSupport Manager, which grants attackers extensive control over the infected system. In some cases, the malicious routines even check whether analysis programs such as Wireshark or Process Hacker are installed and then terminate the infection in order to avoid detection.
According to experts, the attacks observed probably come from the same actor. The method seems simple, but it is always effective because well-crafted social engineering tricks trick users into executing dangerous commands themselves. Security researchers strongly recommend blocking outgoing connections via TCP port 79 to prevent improper access to Finger services. In addition, users should be made aware that they should never use commands from unknown sources in the command line, even if they seem harmless.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
