It sounds like a scene from an absurdist play or a companion to the old tale of dogs and cats living together in harmony, but it has now been confirmed. Servers distributing the notorious Dridex banking trojan were instead circulating clean copies of the freely available Avira antivirus program.
Avira researchers still don't know how the mixup happened, but their chief theory is that a whitehat hacker compromised some of the Dridex distribution channels and replaced the normal malicious executables with a digitally signed Avira installer. As a result, when targets opened attachments contained in spam e-mails sent by Dridex servers, the would-be marks were instead prompted to run a program designed to protect computers from the very likes of the Dridex threat.
"We still don't know exactly who is doing this with our installer and why—but we have some theories," a blog post published Friday quoted Avira malware expert Moritz Kroll saying. "This is certainly not something we are doing ourselves."