The finger.exe command is used in ClickFix attacks.
finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.
In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.
We wrote about finger.exe about 3 years ago: “Finger.exe LOLBin“.
What you need to know:
- finger communication takes place over TCP
- the finger protocol uses TCP port 79 and there is no way to change this port
- finger.exe is not proxy aware
So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn’t go through the proxy), the finger.exe command won’t be able to communicate.
And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.