How long has this been going on? Star’s site infected

Last night, Roger’s Information Security Blog detailing the hacking of the legendary singer Van Morrison’s website.

From the description of the hack I would have expected Sophos to have been detecting the site as Mal/Iframe-F. Naturally, I visited the site, in a secure manner, to see what I could see. Unfortunately, I didn’t see an Iframe as described.

What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site (blacklisted for Sophos customers since Oct 7th). The WHOIS record that remote site strangely says:

Address : 56/2 Sun str.
City : Dallas
Province/State : beijing

This morning I wrote detection for the obfuscated script, as Troj/Iframe-DD.

After further digging on our systems we have seen multiple infections on this site:

How long has the site been infected? and how many infections will it have before the sites security is updated?