Finger.exe & ClickFix

Published: 2025-11-16. Last Updated: 2025-11-16 07:27:55 UTC
by Didier Stevens (Version: 1)
0 comment(s)

The finger.exe command is used in ClickFix attacks.

finger is a very old UNIX command, that was converted to a Windows executable years ago, and is part of Windows since then.

In the ClickFix attacks, it is used to retrieve a malicious script via the finger protocol.

We wrote about finger.exe about 3 years ago: "Finger.exe LOLBin".

What you need to know:

  • finger communication takes place over TCP
  • the finger protocol uses TCP port 79 and there is no way to change this port
  • finger.exe is not proxy aware

So if you are in a corporate environment with an explicit proxy (and blocking all Internet facing communication that doesn't go through the proxy), the finger.exe command won't be able to communicate.

And if you have a transparent proxy, finger.exe will be able to communicate provided the proxy allows TCP connections to port 79.

 

Didier Stevens
Senior handler
blog.DidierStevens.com

Keywords:
0 comment(s)

Comments

Login here to join the discussion.


Top of page
Diary Archives