[Tigzy]

just some general methods which are more than well known to public

Agreed, That was my very first question :D

Is this a PoC or the code is known?

[Brock]

@Tigzy

If this is so, I am interested too ;)

[EP_X0FF]

Offtopic moved

[EP_X0FF]

Hello,

I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374

Plus some debug messages from kaspersky service

Version = 2.0.0.783
Unable to create DevObj for KLCR. err = c0000035

[R00tKit]

thanks EP :)

[vaber]

I approve topic starter poc. It indeed terminates Kaspersky 2012 from user mode. All instances terminates without any warnings (default from the box configuration). This is not GUI-based attack. It uses generic flaw in Kaspersky self-protection. Additionally slightly modified this code can totally block Kaspersky from loading. Tested on Windows XP SP3 with Kaspersky v12.0.0.374

Неужто и тут PG? ;) (is it PG case again?)

[EP_X0FF]

You should ask author I only used his idea and slightly extended it. From my point of view this method is surprising simple and I expected exploitation of something more complicated to be honest.

[kmd]

so anyone is going to publish anything?

[Tigzy]

I don't think so, It would already be done otherwise.

[listito]

great, any other av's vulnerable to this attack vector?

what about sharing with us a poc? :)