If you need a reminder that the term “hacker” should not have a negative connotation, this one is for you. Security firm Avira recently noticed that someone had hijacked the Dridex botnet to send users its free antivirus software instead of malware.

A botnet (a term formed from the words robot and network) is a group of Internet-connected computers communicating together to complete repetitive tasks and objectives, often used to send spam, push malware, or participate in distributed denial-of-service (DDoS) attacks. The Dridex botnet leverages Microsoft Word macros to infect systems (usually via a malicious email), after which attackers use it to steal banking credentials and other personal information via transparent redirects and injections to manipulate websites.

And yet, someone decided that Dridex should not serve its malicious payload anymore. Instead, it’s now delivering a clean, signed copy of Avira Free Antivirus.

After a user opens the Word document, the malicious macros grab Avira’s antivirus installer instead of the usual malware. The files on the remote server have been changed, and the security firm says it is not responsible for the modification.

“The content behind the malware download URL has been replaced, it’s now providing an original, up-to-date Avira web installer instead of the usual Dridex loader,” Avira malware researcher Moritz Kroll explained. “We still don’t know exactly who is doing this with our installer and why — but we have some theories. This is certainly not something we are doing ourselves.”

Some part of Dridex’s distribution channel has clearly been breached. It’s unlikely the botnet operators are distributing an antivirus solution, so Avira believes the person might be a white hat hacker — “white hat” in Internet slang refers to an ethical computer hacker, whereas “black hat” describes a hacker who breaches computer security for malicious purposes or personal gain.

The other theory is that cybercriminals are doing this to “somehow upset Avira’s and other AV companies’ detection process.” But Kroll thinks this is unlikely: “We don’t think that the malware guys would provide the Avira installer — they wouldn’t want to improve the protection level on their victims’ machines.”

It’s more likely that a white hat hacker got into the infected web servers and replaced the malware with the Avira installer. But we’ll likely never know the true story.

“While what they are doing is fundamentally helpful, it is also technically illegal in most countries, so they probably don’t want to be known or identifiable,” Kroll added.