Angry malware, spyware and adware
A mysterious 'white hat' hacker has hijacked the servers of the Dridex banking trojan botnet so that it delivers free antivirus software instead of potentially dangerous malware iStock

How do you get rid of a huge nasty botnet that has infected large numbers of PCs with malware so that cyber-criminals can steal millions from bank accounts? Simple – change what the network of infected computers is sending out.

Instead of downloading programmes to secretly spy on your computer and send data back to cyber-criminals about your online banking credentials and other sensitive information, antivirus vendor Avira says it has noticed that a web installer for the free version of its antivirus software is being pushed out from the command-and-control servers of a particularly nasty type of banking malware called Dridex. But the thing is, Avira's researchers say they didn't put it there – and they have no idea who did.

"The content behind the malware download URL has been replaced. It's now providing an original, up-to-date Avira web installer instead of the usual Dridex loader. We still don't know exactly who is doing this with our installer and why, but we have some theories. This is certainly not something we are doing ourselves," Moritz Kroll, an Avira malware expert, wrote in a blog post.

Dridex is still a prominent cyber-threat

The Dridex banking Trojan botnet is considered to be one of the most dominant cyber-threats today. It was first spotted in November 2014, and is known to have relieved UK banking customers of least £20m ($29m) over the last few years by spreading via bulk email phishing campaigns that secretly install malware on to victims' computers in order to steal sensitive online-banking login credentials. The malware has existed in several variants with various names, primarily targeting small and medium-sized businesses. In October 2015, it became international news when the FBI, Europol, GCHQ and the UK's National Crime Agency announced that they had formed a joint taskforce to disrupt the botnet.

The law-enforcement agencies claimed that they were cracking down on the malware's authors internationally and that they had arrested Andrey Ghinkul, a 30-year-old Moldovan living in Cyprus, who was one of the ringleaders running a network that allowed the malware to securely communicate back with the cyber-criminals, who called themselves Evil Corp.

Ethical 'white hat' hackers taking the law into their own hands

Although several security companies including Symantec, Trend Micro, Proofpoint and Dell have been working with law enforcement to wrestle control of the botnet away from the hackers, the software still exists, and thus can continue to be exploited by other groups of cyber-criminals. So internet users still need to be vigilant and avoid opening email attachments from unrecognised email addresses – especially if they appear to be Microsoft Word or Excel documents.

"I really think it is a hacker who has discovered how to do a good thing, but perhaps with not strictly legal methods. If you think about it, there was a huge media announcement when Dridex was 'taken down' by the government authorities and a much smaller level of reporting on its return to the marketplace," Kroll told PC World magazine. "That has got to be frustrating to some and might cause them to think: 'The government tried to take it down, they could not, I can do something myself'."

Interestingly, this is not the first time that Avira has been associated with botnets: in the past, white-hat hackers have also hijacked the distribution servers for CryptoLocker and Tesla ransomware, and no one has claimed responsibility.