While investigating some files sent in by a customer last week I noticed that the automated analyzer had gotten stuck.
The attack site, in yellow, was a dead end. However, when I went there myself I saw some suspicious code. At the end of last week we released protection for Troj/Iframe-J. This malware linked in this case to a webpage containing more malicious code. Examples of the code on the site were:
Sophos’s underlying detection for Mal/EncPg-A has been updated today because the samples associated with this attack site contained the 8-bit ASCII Bypass threat combined with Null Byte obscured HTML. Combining these two tricks makes the decision to detect the code easier :)