Coming soon: the Microsoft Virtual Rootkit
This is a fun paper
. It talks about a rootkit that inserts itself as a virtualisation layer underneath the existing OS.
And yes, because it's a Microsoft Research paper, they had to point out that they could achieve exactly the same result against a Linux box.
Obviously, the best way to detect such a rootkit is to note its rather unwieldy effect on performance (but would that be necessarily always so?), along with a detection routine that runs outside of the regular boot process (i.e. edit CMOS boot settings to boot from removable media, and boot a read-only known-clean OS with up-to-date detection tools). Sadly, the bootable read-only known-clean OS with detection tools is not something you can make from a Microsoft OS without skirting dangerously close to licence violations, or by paying through the nose for a licence for XP Embedded, which comes with Windows PE, and is designed for OEMs to build an installation experience for Windows.
It would be nice if a licence for any Windows operating system also included a licence to create bootable DVD-Rs containing the user's choice of recovery tools on a Windows PE subsystem.
The Virtual Rootkit has been covered at eWeak, where there's a lovely TalkBack entry:
"Microsoft cannot seem to make its product impervious to malware attacks so the next best thing is to ensure that it nearest competitor, Linux/Open-source, is similarly vulnerable."
Uh... Yeah. Microsoft did that. Right. :-)
Sadly, the Computer Science answer is that any modern computer (aside from Quantum computers) can be emulated by a finite Turing Machine, and it's a piece of cake to implement a finite Turing Machine on a modern computer. As such, any modern computer may emulate any other modern computer; the only limits are accuracy of emulation, and performance of the emulated OS.
Quantum Computers may be an exception... possibly.