Bypass proactive protection in Kaspersky Anti-Virus. Video demonstration.

Workflow:

1. Check that the driver is not present in the system directory (trying to open it in notepad)
2. Run the exploit. You are prompted to install the driver of Kaspersky. Inactivity (ie, do not agree)
3. Try to open driver file via notepad again and voila: the driver is installed!

Vulnerable: Kaspersky Crystal 12.0.1.228, KIS/KAV 2012, KIS/KAV 2011; other versions may also be affected.

Technical details won't be disclosed until I contact with Kaspersky Lab staff.

Original post in Russian

IP addresses disclosure on Skype

As you know, you can  find the IP address of a user if you know his nickname in Skype.
Here is a video demonstration:

DLL hiJacking in Qt-based applications

March 2011, I've wrote about DLL HiJacking in VirtualBox. VirtualBox support says:

"This isn't DLL hijacking IMHO - you've spotted that Qt optionally loads
a library which normally isn't there at all.

If it is really security related, you'd need to report it to Nokia, as
they currently own Qt. We'd appreciate a pointer to the problem report
if possible, so that we can check what they're doing."

So I check this idea. I downloaded:

• VirtualBox v.4.0.14
• qxml-edit v3.6
• smplayer v0.6.9

and all of this application was vulnerable to dll hiJacking (wintab32.dll).



Demo video:

But Oracle VirtualBox 4.1.2 wasn't vulnerable. Then I tried to find out for which version Qt this problem had been solved. And I'm found this text for Qt 4.7.1:

"QLibrary
* [QT-3825] System libraries are only loaded from the system directories."

So if you are using Qt-based application I recommend update your Qt Libraries to =>4.7.1. Just download it from http://qt.nokia.com/downloads/ and replace files with mask QT*.dll at the same directory of executable file Qt-based application.

Links:

1. Original post in Russian
2. See list of Qt-based application here
3. Qt: Security announcement – Windows DLL preloading
4. Microsoft Security Advisory (2269637)
   Insecure Library Loading Could Allow Remote Code Execution
5. A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm