In 2016 we covered an incident involving a Russian, Vitaly Popov, who went on to register websites that use the Cyrillic version of letters like C and K in lifehacker.com, swapped out for с and к, and Cyrillic ɢ replaced the first G in google.com which may appear the same, but instead are not and direct visitors elsewhere. He would then spam Google Analytics with pro-Trump messages redirecting people to these websites.
There seems to have been something similar with a .CO.ZA WHOIS server that inserts spam messages into domain records.
What Is WHOIS?
<a href="https://en.m.wikipedia.org/wiki/WHOIS” target="_blank">WHOIS is a protocol that anyone can use to check who owns a domain name. Once you run the <a href="http://www.whois.com/whois/” target="_blank">WHOIS command against a specific domain name it will return contact details for the registered domain owner, i.e. their name, address, and supplied telephone number as well as the domain’s technical contact’s details.
Example of a WHOIS query results<
In some instances, where the domain owner purchased a WHOIS protection service, the contact details will be those of a proxy or the organisation providing protection services.
Other details returned on a WHOIS query include the date the domain was registered and when it is due for expiry.
This is what typically a WHOIS query returns once you ask you run the command for a specific domain name, but some strange results started appearing in the WHOIS records of some .CO.ZA domains.
How The WHOIS Hack Happened
<a href="https://sucuri.net” target="_blank">Sucuri Security, a company that specialize in website security, recently revealed that one of their customers started raising concernes about changes to their WHOIS records and email notifications containing spam content. Sucuri investigated the customer’s query further and discovered that “attackers had taken advantage of domain expiration by purchasing a previously legitimate WHOIS server”. They managed to insert arbitrary ads into the old .CO.ZA (South African) WHOIS server records.
After that discovery, Sucuri then went on to look up where the official WHOIS server was for the client whose domain records were attacked and they received the following response:
; <<>> DiG 9.8.3-P1 <<>> co.za.whois-servers.net +noall +answer ;; global options: +cmd co.za.whois-servers.net. 537 IN CNAME whois.coza.net.za. whois.coza.net.za. 7138 IN A``` As Sucuri’s Salvador Aguilar puts it, everything looks fine so far "coza.net.za is the official registrar for all co.za domains. Nothing appears to be wrong here." It is when you look at the WHOIS record change e-mail notifications that you start to get a hint on what was changed. "Each notification email showed a new set of spam links in the WHOIS changelog. These alerts gave us the information we needed to dig deeper." explains Sucuri's Salvador Aguilar. It turns out each .CO.ZA notification e-mail Sucuri looked into, resembled thee following one: <small><strong> "You are a Winner! One of Your Prizes: iPad mini SmartTV 65″. Participation Required hxxp://helpfulhint .net/Free_iPad 29c28 hxxp://www.survey-prizes .com/ — hxxp://www.apple .com/survey-prizes 34,39c33 hxxp://www.apple .com/survey-prizes * 1. http://whois.co.za/search/redirect.php?f=http%3A%2F %2Fvq91811.com%2Fctrd%2Fclick%2Fnewjump1.do%3Faffiliate%3 D45549%26subid%3D2237%26terms%3Dwhois%26ai%3DWYYX6a9Q- bLvuf4evYbPo_QfbnqRDklozolZrIvUL510Q0neMlFqafM9UdsF5048H tcW64dny_HKi5wSpE4QR2_5qQO-gOfJ4CR6rcb4exg_77tsOkTWvX1 OcLIYZRmzP475….. (truncated)" </small></strong> You don't need a PhD or to be a rocket scientist to realise that this is spam. But Aguilar noted something peculiar, "*Why would queries go to whois.co.za instead of whois.coza.net.za?*". Below, Aguilar explains how he went about digging deeper and discovering what the issue was. _____ ##Querying The WHOIS Server I went in Terminal and ran this query to find out: `whois victim-site.co.za` `whois: za.whois-servers.net: nodename nor servname provided, or not known` Seeing this tipped me off that there is definitely something going on with this domain name. In order to find the root cause of these issues, I installed Brew and used it to download an updated version of WHOIS. I was able to install WHOIS version 5.2.12 and simply ran the same command, but this time I had a different outcome (client information has been redacted). <small> ./whois victim-site.co.za<br> Domain Name:<br> victim-site.co.za<br> Registrant:<br> [redacted]<br> Email: [redacted]<br> Tel: [redacted]<br> Fax: None<br> Registrant's Address:<br> [redacted]<br> Johannesburg<br> Gauteng<br> ZA<br> [redacted]<br> Registrar:<br> Internet Solutions<br> Relevant Dates:<br> Registration Date: 1997-07-04<br> Renewal Date: 2016-07-04<br> Domain Status:<br> Registered until renewal date<br> Pending Timer Events:<br> None<br> Name Servers:<br> jupiter.is.co.za [ redacted IP ]<br> titan.is.co.za [ redacted IP ]<br> demeter.is.co.za [ redacted IP ]<br><br> WHOIS lookup made at 2016-05-08 04:55 UTC<br> The use of this Whois facility is subject to the following terms and conditions. <br>https://registry.net.za/whois_terms<br> Copyright (c) ZACR 1995-2016</small> Bingo, a correct result! Still, this didn’t tell me what the issue was exactly. ##Browsing The Registry Website I opened my browser and visited the site for the WHOIS server: **hxxp://whois[.]co.za** I was immediately redirected to **https://www.registry.net.za/whois/** – which is fine. It’s a legitimate website. However when I went to: **hxxp://www.whois[.]co.za** … this time, I was redirected elsewhere, and a bunch of ads started popping up on my browser. GOTCHA! This tells me something is wrong with the **whois.co.za** domain – and naturally, I needed to find out! I kept on checking using dig and found the following DNS records: `whois.co.za. 60 IN A 184.108.40.206` `www.whois.co.za. 573 IN A 220.127.116.11` The bare domain and the www subdomain are pointed to different servers. You get a clean version when you simply use **hxxp://whois[.]co.za** and a spam-filled one if you use **hxxp://www.whois[.]co.za**. When I simply ran another WHOIS query, this time I specifically told the WHOIS command which server to use: <p align="center"> ![whois.co.za raw data](/content/images/2017/03/IMG_20170304_185724.png) </p> There you go! Someone got a hold of the domain **whois.co.za** and renewed it on April 22nd. Our client started seeing ads in their notification emails ever since. I tried to replicate the issue using a virtual machine and ran the WHOIS command there: `[me@vm-centos6 ~]$ whois whois.co.za` `[Querying http://whois.co.za/cgi-bin/whois.sh]` The **whois.sh** script code renders an HTML page with – yes, you guessed it – lots of ads. _____ But, it turns out as Aguilar also discovered, the issue doesn't affect all .CO.ZA domains. It turns out that it only affects versions of WHOIS older than 5.0.19. "My colleague, Joao, found the GitHub changelog for the WHOIS package of Debian which offers reasons why there is such a difference in these versions of WHOIS." explained Aguilar of Sucuri. As a result, in 2009 the **whois.co.za** domain was taken down in 2009 but an attacker took advantage of this and purchased the domain and used it to serve advertisements instead of valid WHOIS information. "This means that all UNIX systems using a WHOIS version older than 5.0.19 will still see the deprecated (and now malicious) WHOIS server when querying co.za domains." said Aguilar.