The method works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it's executed, swaps it out with a malicious payload.
The exploit has to be timed just right so the benign code isn't switched too soon or too late. But for systems running on multicore processors, matousec's "argument-switch" attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.
All that's required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.
ALL the security products tested were vulnerable to this attack. Matusec has listed all the tested products on their website. The attack works even with a limited account.
The complete article can be found here:
http://www.matousec.com/info/articles/k ... ftware.php
The Register also covered it in their article:
http://www.theregister.co.uk/2010/05/07 ... av_bypass/