Part of the distribution channel of the Dridex botnet was compromised by an unknown who replaced the Trojans with Avira installers Antivirus!
The Dridex botnet remains an active threat, even after an attempt to remove it at the end of 2015.
Malicious code distributed by Dridex usually comes in the form of spam messages containing malicious attachments archives. The most frequently used files are Word documents with embedded malicious macros.
Once the victim opens the file, the macros download it malware από κάποιον απομακρυσμένο διακομιστή. To Dridex δημιουργεί ένα keylogger σε μολυσμένους υπολογιστές, και χρησιμοποιώντας διαφανείς ανακατευθύνσεις και webinjects καταφέρνει να υποκλέψει κωδικούς από τραπεζικές websites.
But the recent botnet hack was done for very different purposes.
"The malware download URL has been replaced with a link to an updated Avira antivirus installer," said Moritz Kroll, an Avira malware expert.
So instead of malware, victims download a valid, signed one copy του λογισμικού προστασίας της Avira.
"We do not know exactly who did it and why - but we do have some theories," Kroll said.
One possible explanation is that a White Hat hacker has managed to take over the botnet control systems, and has changed malicious URLs to Avira's.