News Sites Try to Load Malware from Eclampsialemontree.net

For the last four days, my anti-virus software has been blocking a possible virus when I visit some popular news sites. The URL flagged as a virus is a subdomain of eclampsialemontree.net that has a long string of random characters and looks highly suspicious. A report on VirusTotal indicates two anti-virus providers are blacklisting that domain as a malware site.

The latest site where I encountered this virus alert was a story on Stars and Stripes. I'm not embedding a link for obvious reasons, but it has the headline "Veteran, one of 4,200 mistakenly declared dead by VA, feels 'resurrected.'"

In the Google Chrome developer console, I can see that when the story is read, the URL is being loaded in an XmlHttpRequest by this JavaScript code on the news page:

<script src="http://s.ppjol.net/lightbox/pp4.js"></script>
<script>
if (!navigator.userAgent.match(/StripesApp/i)) {
  var pp = { client: { config: { 'zone':"-jmtl7NTsKXjcoZnYuS2qB", 'mode':"universal", 'debug':0, 'precheck': function(){ return 1; } } } };
}
</script>

This code is provided by Press Plus, a company that manages newspaper subscription paywalls. I think the purpose of the script is to superimpose a box above the story that urges a reader to subscribe to the site.

The script does not have any reference to eclampsialemontree.net, so I don't know why it is attempting to make a connection to one of its subdomains.

I've encountered this 24 times on different news sites. I'd like to figure out why it's happening. I post a lot of links to news stories on the Drudge Retort and I can't link to a site I believe might have been compromised by a virus.

Comments

Happens to me too. Newsinc.com , a site with sensationalist news/media that my 10yr old has visited is hosting frame content from eclampsialemontree.net

I'm getting the same behavior when I visit www.DallasNews.com. I'm using Eset NOD32. If I try to visit their sports page, sportsday.DallasNews.com, I get a popup telling me I've used up my free visits.

Hello Roger!

You should activate moderation or spam check on your blog cause it seems that spammers are getting through.

Best regards,
a reader.

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).