Mal/EncPg-A protection updated to detect doubly obscured code

While investigating some files sent in by a customer last week I noticed that the automated analyzer had gotten stuck.

Attack site

The attack site, in yellow, was a dead end. However, when I went there myself I saw some suspicious code. At the end of last week we released protection for Troj/Iframe-J. This malware linked in this case to a webpage containing more malicious code. Examples of the code on the site were:

Sophos’s underlying detection for Mal/EncPg-A has been updated today because the samples associated with this attack site contained the 8-bit ASCII Bypass threat combined with Null Byte obscured HTML. Combining these two tricks makes the decision to detect the code easier 🙂