Harris said that watchTowr has since engaged with National Counterintelligence and Security Center and security organization ShadowServer to take custody of the dotmobiregistry.net domain. He expects they will safeguard it to ensure that systems that continue to speak to this WHOIS server do not continue to be exposed to the threat.
After receiving a request for comment on Monday, a representative at GlobalSign said the company has initiated an investigation. A Google representative said that as an aggregator of tools, antivirus engines, security scanners, and other utilities, VirusTotal “may occasionally generate false positives, false negatives, or errors.” VirusTotal aggregates WHOIS responses from WhoisDS and the WHOIS client included in Linux. Once those sources query the correct WHOIS server for .mobi addresses, VirusTotal will, too, the representative said.
While the Linux client appears to have recently started querying the correct .mobi WHOIS server, most other resources have not, as evidenced by the constant stream of queries that continue to pour into his rogue server as recently as Tuesday.
“The reality that this interconnected ‘network’ of WHOIS servers comes from a time where things were only hardcoded into numerous WHOIS clients, [meaning] that unfortunately, this won’t be cleared up overnight,” Harris told Ars.
It’s unclear if WHOIS lookups for other top-level domains suffer similar threats. In any event, the problem is that there’s no uniform naming convention for authoritative WHOIS servers or even, for that matter, a clear way to look them up. While some third parties have compiled lists of what they say are authoritative WHOIS servers, many of them erroneously list the now-deprecated dotmobiregistry.net as the authoritative WHOIS server for .mobi.
What’s more, Harris said, the problem he has unearthed isn’t restricted to retired domains. S3 buckets and other cloud infrastructure can also create threats when they’re discarded and websites, deployment scripts, or other resources continue to reference them.
“The reality is that this issue exists in various forms (whether it be people using personal domains that they leave to expire, subsequently being registered by another individual who then subsequently has access to all accounts of the previous owner,” Harris told Ars. “We are of the opinion that this will continue to be a painful issue that reoccurs as we see the recycling of infrastructure/domains/etc.”