How An Expired .CO.ZA WHOIS Server Was Used To Insert Spam Messages Into Domain Records

In 2016 we covered an incident involving a Russian, Vitaly Popov, who went on to register websites that use the Cyrillic version of letters like C and K in lifehacker.com, swapped out for с and к, and Cyrillic ɢ replaced the first G in google.com which may appear the same, but instead are not and direct visitors elsewhere. He would then spam Google Analytics with pro-Trump messages redirecting people to these websites.

There seems to have been something similar with a .CO.ZA WHOIS server that inserts spam messages into domain records.

What Is WHOIS?

WHOIS is a protocol that anyone can use to check who owns a domain name. Once you run the WHOIS command against a specific domain name it will return contact details for the registered domain owner, i.e. their name, address, and supplied telephone number as well as the domain’s technical contact’s details.

google.co.za whois data
Example of a WHOIS query results<

In some instances, where the domain owner purchased a WHOIS protection service, the contact details will be those of a proxy or the organisation providing protection services.

Other details returned on a WHOIS query include the date the domain was registered and when it is due for expiry.

This is what typically a WHOIS query returns once you ask you run the command for a specific domain name, but some strange results started appearing in the WHOIS records of some .CO.ZA domains.

How The WHOIS Hack Happened

Sucuri Security, a company that specialize in website security, recently revealed that one of their customers started raising concernes about changes to their WHOIS records and email notifications containing spam content. Sucuri investigated the customer’s query further and discovered that “attackers had taken advantage of domain expiration by purchasing a previously legitimate WHOIS server”. They managed to insert arbitrary ads into the old .CO.ZA (South African) WHOIS server records.

After that discovery, Sucuri then went on to look up where the official WHOIS server was for the client whose domain records were attacked and they received the following response:

dig co.za.whois-servers.net +noall +answer ; <<>> DiG 9.8.3-P1 <<>> co.za.whois-servers.net +noall +answer ;; global options: +cmd co.za.whois-servers.net. 537 IN CNAME whois.coza.net.za.
whois.coza.net.za. 7138 IN A

As Sucuri’s Salvador Aguilar puts it, everything looks fine so far "coza.net.za is the official registrar for all co.za domains. Nothing appears to be wrong here."

It is when you look at the WHOIS record change e-mail notifications that you start to get a hint on what was changed.

"Each notification email showed a new set of spam links in the WHOIS changelog. These alerts gave us the information we needed to dig deeper." explains Sucuri's Salvador Aguilar.

It turns out each .CO.ZA notification e-mail Sucuri looked into, resembled thee following one:


"[3]You are a Winner!        One of Your Prizes: iPad mini SmartTV 65″. Participation Required        [4]hxxp://helpfulhint .net/Free_iPad 29c28
       [6]hxxp://www.survey-prizes .com/ —

[6]hxxp://www.apple .com/survey-prizes 34,39c33
       [8]hxxp://www.apple .com/survey-prizes      *    1. http://whois.co.za/search/redirect.php?f=http%3A%2F

%2Fvq91811.com%2Fctrd%2Fclick%2Fnewjump1.do%3Faffiliate%3

D45549%26subid%3D2237%26terms%3Dwhois%26ai%3DWYYX6a9Q-

bLvuf4evYbPo_QfbnqRDklozolZrIvUL510Q0neMlFqafM9UdsF5048H

tcW64dny_HKi5wSpE4QR2_5qQO-gOfJ4CR6rcb4exg_77tsOkTWvX1

OcLIYZRmzP475….. (truncated)"

You don't need a PhD or to be a rocket scientist to realise that this is spam. But Aguilar noted something peculiar, "Why would queries go to whois.co.za instead of whois.coza.net.za?".

Below, Aguilar explains how he went about digging deeper and discovering what the issue was.


Querying The WHOIS Server

I went in Terminal and ran this query to find out:

whois victim-site.co.za whois: za.whois-servers.net: nodename nor servname provided, or not known

Seeing this tipped me off that there is definitely something going on with this domain name.

In order to find the root cause of these issues, I installed Brew and used it to download an updated version of WHOIS. I was able to install WHOIS version 5.2.12 and simply ran the same command, but this time I had a different outcome (client information has been redacted).


./whois victim-site.co.za
Domain Name:

victim-site.co.za
Registrant:
[redacted]
Email: [redacted]
Tel: [redacted]
Fax: None
Registrant's Address:
[redacted]
Johannesburg
Gauteng
ZA
[redacted]
Registrar:
Internet Solutions
Relevant Dates:
Registration Date: 1997-07-04
Renewal Date: 2016-07-04
Domain Status:
Registered until renewal date
Pending Timer Events:
None
Name Servers:
jupiter.is.co.za [ redacted IP ]
titan.is.co.za [ redacted IP ]
demeter.is.co.za [ redacted IP ]

WHOIS lookup made at 2016-05-08 04:55 UTC

The use of this Whois facility is subject to the following terms and
conditions.
https://registry.net.za/whois_terms

Copyright (c) ZACR 1995-2016

Bingo, a correct result!

Still, this didn’t tell me what the issue was exactly.

Browsing The Registry Website

I opened my browser and visited the site for the WHOIS server:

hxxp://whois[.]co.za

I was immediately redirected to https://www.registry.net.za/whois/ – which is fine. It’s a legitimate website.

However when I went to:

hxxp://www.whois[.]co.za

… this time, I was redirected elsewhere, and a bunch of ads started popping up on my browser. GOTCHA!

This tells me something is wrong with the whois.co.za domain – and naturally, I needed to find out! I kept on checking using dig and found the following DNS records:

whois.co.za. 60 IN A 206.223.136.238 www.whois.co.za. 573 IN A 72.52.4.120

The bare domain and the www subdomain are pointed to different servers. You get a clean version when you simply use hxxp://whois[.]co.za and a spam-filled one if you use hxxp://www.whois[.]co.za.

When I simply ran another WHOIS query, this time I specifically told the WHOIS command which server to use:

whois.co.za raw data

There you go! Someone got a hold of the domain whois.co.za and renewed it on April 22nd. Our client started seeing ads in their notification emails ever since.

I tried to replicate the issue using a virtual machine and ran the WHOIS command there:

[[email protected] ~]$ whois whois.co.za [Querying http://whois.co.za/cgi-bin/whois.sh]

The whois.sh script code renders an HTML page with – yes, you guessed it – lots of ads.


But, it turns out as Aguilar also discovered, the issue doesn't affect all .CO.ZA domains. It turns out that it only affects versions of WHOIS older than 5.0.19.

"My colleague, Joao, found the GitHub changelog for the WHOIS package of Debian which offers reasons why there is such a difference in these versions of WHOIS." explained Aguilar of Sucuri.

As a result, in 2009 the whois.co.za domain was taken down in 2009 but an attacker took advantage of this and purchased the domain and used it to serve advertisements instead of valid WHOIS information.

"This means that all UNIX systems using a WHOIS version older than 5.0.19 will still see the deprecated (and now malicious) WHOIS server when querying co.za domains." said Aguilar.

Comments