Windows Finger command abused by phishing to download malware

[Sampei.Nihira]

 

https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/

It is interesting to note that Finger.exe is also available in Windows XP.

The exe is in the "System32" folder.

This type of attack will probably never affect our OS.

But considering the rarity of use of the Finger.exe command, it might be interesting to consider blocking it.

Adding a rule to block the connection in your firewall has the same effect.

P.S. For OS after W.XP, for example w.10 x64, the rules are at least 2 because you also need to lock the exe in "syswow64".

Edited January 17, 2021 by Sampei.Nihira

[Mr.Scienceman2000]

10 hours ago, Sampei.Nihira said:

 

https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/

It is interesting to note that Finger.exe is also available in Windows XP.

The exe is in the "System32" folder.

This type of attack will probably never affect our OS.

But considering the rarity of use of the Finger.exe command, it might be interesting to consider blocking it.

Adding a rule to block the connection in your firewall has the same effect.

P.S. For OS after W.XP, for example w.10 x64, the rules are at least 2 because you also need to lock the exe in "syswow64".

Seems protection to that is same as to many other attacks. Do not enable macros on word unless trust document 100%

[Sampei.Nihira]

It's indirect protection.
If they change the method of attack it will be in vain.
I personally prefer to use a direct block.
I put a custom rule in NVT OSArmor that blocks Finder.exe:

 

[%PROCESS%: *\finger.exe]

 

In OSes later than W.XP it is easy to get a firewall hardening for the most abused commands via the tool below:

 

https://hard-configurator.com/download/

LOLBin - Add

If a rule is not in the list it is easy to add it.

Edited January 17, 2021 by Sampei.Nihira