Fast Facts

• The “finger” protocol, created in the 1970s, is being abused to deliver malware on modern Windows PCs.
• Attackers use social engineering, such as fake Captcha prompts, to convince victims to run malicious commands.
• Recent campaigns dubbed "ClickFix" disguise malware as PDF files, often stealing information or installing remote access tools.
• Malicious use of “finger” can bypass some security controls because it’s a legitimate, built-in system command.
• Blocking TCP port 79 can help stop these attacks at the network level.

The Resurrection of a Digital Dinosaur

In the world of cybercrime, nothing old ever truly dies - it just waits for a comeback. The “finger” protocol, a relic from the early days of the internet, was once a friendly tool for checking if your colleague was available on their Unix terminal. Today, cybercriminals are dusting it off and twisting it into a subtle, effective weapon against unsuspecting Windows users.

How a Forgotten Command Became a Hacker’s Backdoor

Originally designed in the 1970s, the finger protocol lets users look up basic info about others on a network. It’s simple: type “finger username@host” and get details like login time and home directory. But what’s unassuming to most is gold for attackers. By sending specially crafted finger commands, attackers can fetch and run malicious code from remote servers. Because finger is still present in modern Windows systems - even if almost nobody uses it anymore - security tools may overlook its activity.

Recent attacks, known as ClickFix campaigns, trick victims into running obscure Windows commands. One tactic involves fake Captcha tests urging users to “verify you are human” by pasting a command into their prompt. Behind the scenes, this command uses finger to fetch a script, which then downloads and runs hidden malware - sometimes disguised as a PDF, other times as a remote access tool like NetSupport Manager RAT.

History Repeats: LOLBINs and Legacy Protocol Risks

This isn’t finger’s first foray into cybercrime. In 2020, security researchers flagged it as a “Living Off the Land Binary” (LOLBIN) - a legitimate tool abused for malicious ends. Cybercriminals love LOLBINs because they blend in with regular system activity, making detection tricky. The current wave of attacks goes a step further, with malware scripts that check for signs of cybersecurity tools on the victim’s machine and abort if found, an old-school trick with a modern twist.

While these attacks seem to trace back to a single group, the pattern is familiar: criminals exploiting overlooked corners of technology to outsmart defenses. It’s a reminder that even digital history can become a playground for modern threats.

Who’s at Risk - and What Can Be Done?

The victims range from hurried office workers to casual web surfers, all lured by convincing social engineering. The market for such attacks is global, with malware often designed to steal data or provide remote control to attackers. Defenders can fight back by blocking outgoing traffic on TCP port 79 (used by finger), disabling unnecessary legacy commands, and educating users about copy-paste scams. As long as old tools remain on new systems, vigilance is the price of safety.

WIKICROOK

• Finger Protocol: The Finger Protocol is an early internet tool used to retrieve basic user information from remote computers, now largely obsolete due to security concerns.
• LOLBIN: A LOLBIN is a legitimate system tool that attackers exploit to perform malicious actions while avoiding detection by security software.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• NetSupport Manager RAT: NetSupport Manager RAT is a remote access tool used for IT support but often exploited by hackers to control and monitor computers without consent.
• TCP Port 79: TCP Port 79 is used by the Finger protocol to share user information on networks. Blocking it helps prevent information leaks and related attacks.