Not all hackers have chaos and destruction in mind. Many just want to undo the damage done by their black-hat counterparts. The Dridex botnet is usually a malicious network of hacked computers that distributes banking Trojans to unsuspecting victims, but as of now, its function may be a little different.
Clicking on a link in a Dridex spam email will sometimes now give you a valid, signed copy of Avira Free Antivirus software — perfect for cleaning Dridex's Trojans out of your system once and for all.
Avira's Lyle Frink covered this strange phenomenon on the company's blog, but the company denies any involvement. According to Frink, the events unfolding are strange, but simple. Instead of malware, incautious users are being duped into downloading free and legal copies of one of the best antivirus software programs.
In its natural state, the Dridex botnet is a repository of online-banking malware that the U.S. government attempted to take down last year. Although the botnet is less powerful now than it was, it cost victims tens of millions of dollars in damages in 2015.
Dridex's banking Trojan steals keystrokes and gives cybercriminals access to anything you type into a computer — usersnames, passwords, physical addresses, credit-card numbers and so forth. It also, naturally, tries to turn each infected machine into part of the botnet.
Today, however, at least part of the Dridex botnet has no Trojans to give, and is instead distributing licensed copies of Avira to users who fall prey to email scams, usually by way of an infected Word document in a spam message's attachment. Not only would installing Avira neutralize Dridex's banking Trojan, but it would also block any other garden-variety malware likely to come through e-mail scams.
There are two theories about how this has come to pass. The first, and less likely, hypothesis is that cybercriminals are doing this themselves just to throw off Avira and other AV companies before launching an even stronger assault.
Avira didn't think much of this possibility, since a cybercriminal has no real incentive to give antivirus tools to potential victims.
The more likely scenario is that a white-hat hacker has hijacked the Dridex botnet and is trying to undo some of its damage. Avira insists that this is the work of a third party, especially since installing software without a computer owner's knowledge — even helpful software — is illegal almost everywhere.
Still, if you want Avira, it's best to just visit the company's website to get it. Dridex may be distributing the antivirus program today, but it will probably return to installing nothing but banking Trojans before too long.