A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers. The malware is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Instead of distributing banking trojan, it seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself. The motives behind including including including the Avira software is still unclear, although these kinds of actions are considered to be illegal in many countries.
Source: https://thehackernews.com/2016/02/botnet-antivirus.html