{"id":8505,"date":"2025-11-17T04:01:21","date_gmt":"2025-11-17T04:01:21","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/17\/32492\/"},"modified":"2025-11-17T04:01:21","modified_gmt":"2025-11-17T04:01:21","slug":"32492","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/17\/32492\/","title":{"rendered":"&#xa;Finger.exe &amp; ClickFix, (Sun, Nov 16th)"},"content":{"rendered":"\n<div>&#xa;Finger.exe &#038; ClickFix, (Sun, Nov 16th)<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The finger.exe command is used in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/decades-old-finger-protocol-abused-in-clickfix-malware-attacks\/\">ClickFix attacks<\/a>.<\/p>\n<p>finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.<\/p>\n<p>In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.<\/p>\n<p>We wrote about finger.exe about 3 years ago: &#8220;<a href=\"https:\/\/isc.sans.edu\/diary\/29298\">Finger.exe LOLBin<\/a>&#8220;.<\/p>\n<p>What you need to know:<\/p>\n<ul>\n<li>finger communication takes place over TCP<\/li>\n<li>the finger protocol uses TCP port 79 and there is no way to change this port<\/li>\n<li>finger.exe is not proxy aware<\/li>\n<\/ul>\n<p>So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn&#8217;t go through the proxy), the finger.exe command won&#8217;t be able to communicate.<\/p>\n<p>And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.<\/p>\n<p>\u00a0<\/p>\n<p>Didier Stevens<br \/>\nSenior handler<br \/>\n<a href=\"http:\/\/blog.didierstevens.com\/\">blog.DidierStevens.com<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32492\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#xa;Finger.exe &#038; ClickFix, (Sun, Nov 16th) The finger.exe command is used in ClickFix attacks. finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then. In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol. We wrote [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-8505","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8505"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8505"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8505\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}