The legacy finger command, originally used to fetch user information on Unix and Windows systems, has resurfaced as a method for remote code execution. The discovery shows it being exploited to execute text-based commands on Windows through remote servers.
Legacy Protocol Vulnerabilities
Using a batch script, the finger command can request user information and stream responses into Windows command shells. A specific case saw a user unknowingly executing a command that connected to a finger server, resulting in the creation of random paths and extraction of compressed archives containing harmful scripts. These processes eventually ran a Python program that confirmed execution with a remote server.
Using pythonw.exe, the command also demonstrated an information-stealing behavior as part of the process. The notable conclusion: outdated protocols like finger can introduce vulnerabilities when coupled with social engineering tactics.
Detection and Mitigation Recommendations
Analysts have observed that this exploit pattern matches staged malware activities, often linked to a single attacker, evident from multiple similar incidents across victims. The scripts are designed to avoid detection and install remote access tools.
Current mitigation recommendations emphasize keeping systems updated, ensuring secure configurations, and being vigilant against social engineering schemes. Legacy protocols such as finger should be monitored closely to prevent exploitation.
