SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, December 15th, 2025: DLL Entry Points; ClickFix and Finger; Apple Patches
Dec 15, 2025
Explore the intriguing world of DLL entry points, revealing how they can execute malicious code upon loading. Discover the ongoing ClickFix attacks that cleverly use the finger protocol to deliver malware. Learn about Apple's comprehensive December 2025 patches addressing critical vulnerabilities. Plus, uncover new security concerns in React Server Components, including Denial of Service and source code exposures. Stay informed on network mitigation strategies to prevent unauthorized access.
AI Snips
Chapters
Transcript
Episode notes
DLL Entry Points Run On Load
- DLLs can execute code automatically via their entry point when loaded, even if no exported function is called.
- Johannes Ulrich highlights entry points as critical to inspect during malware reverse engineering.
Finger Protocol Used To Deliver Payloads
- ClickFix campaigns abuse the finger protocol to serve PowerShell payloads over TCP/79, adding simple but effective obfuscation.
- Johannes Ulrich explains attackers pipe ASCII data from a finger server into CMD to execute scripts.
Block Rare Outbound Ports Like 79
- Block or monitor outbound traffic on rarely used ports like TCP/79 to reduce exfiltration and covert fetch channels.
- Johannes Ulrich suggests limiting outbound ports and maintaining an allow-list to improve network security.