Robin Who? Dridex botnet replaced with antivirus software

A mysterious Good Samaritan has replaced the code on certain parts of the villanous Dridex botnet with Avira Anti-virus installers.

Should we doff our caps to the man in the white hat... or lock him up?
Should we doff our caps to the man in the white hat... or lock him up?

A white hatted mystery man has shanghaied a part of the sprawling Dridex banking trojan botnet, and replaced the malicious links with anti-virus installers. Specifically, Avira Antivirus software.

This portion of the altered Dridex Botnet was tweeted out on 2nd February

This individual appears to be kicking the dying body of Dridex, which was significantly weakened after the FBI teamed up with a number of IT security companies to take down the Trojan C&C servers late last year.  Several ringleaders were also brought down including the 30 year old Moldovan called Smilex, also known as, Andrey Ghinkul.

Dridex had its share of victims during the banking trojan's heyday and for a while it was one of the top ten banking trojans.

Dridex, like so much malware, commonly made its unwelcome arrival on an unwitting victims computer via a phishing email. That email would come attached with a Word document loaded with infected macros which, once activated, would deliver the payload.

Once successfully infected, a computer would be subject to the Dridex controller's whim. The trojan was able to execute code, download files and spy on the user's activity.

But what Dridex is really famous for is stealing personal details. The trojan would inject itself into popular browsers and steal details through slightly altered versions of websites that people use for critical personal facets of their lives, for example, online banking portals.

Now, part of Dridex's botnet does not deliver the Dridex loader but an Avira Antivirus installer. But who could have pulled off this rare act of righteous sabotage on such a prolific piece of malware?

“We think a white hat, maybe a grey hat”, Moritz Kroll of Avira told SCMagazineUK.com. “Beyond that, no. Fullstop.”

This isn't the first time this kind of thing has happened. Avira Antivirus installers have shown up in other kinds of malware including Cryptolocker and Tesla. Perhaps the most famous example is the creator of the Linux.Wifatch code which Symantec discovered last year going into infect Linux wifi routers and patching the security holes.

Theses anonymous Samaritans then added a backdoor on those routers so they could receive regular updates, effectively setting up a white hat botnet.

This kind of behaviour, no matter how benign, is still considered illegal in plenty of places. 

"It sounds like a line from Princess Bride: ‘you're trying to kidnap what I have rightfully stolen'," Kroll said. However, the fact that data was changed on private servers could mean different things in different jurisdictions: “a white hat, or ethical hacker, can face serious legal issues.” 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS