Blue Pill - Truths & Myths analysis by AVERT labs

An interesting and technically rich article based on presentations at Black Hat last week.  While hypervisor and virtualized rootkits represent advancements in malware, AVERT claims they can't hide in a 100% undetectable state.

 Blue Pill - Truths & Myths analysis by AVERT labs
http://www.avertlabs.com/research/blog/index.php/2007/08/13/the-truths-and-myths-about-blue-pill-and-virtualized-malware/

QUOTE: Last week I was at BlackHat, and it was a very exciting week in terms of Blue Pill and the virtualization rootkits issue in general. During the BlackHat 2007 Briefings in Las Vegas there were three interesting sessions that relate to virtualization system security and rootkits. I attended those three sessions and had a chance to chat some with three presenters. The main points I would emphasize are the following:

1. Providing a system virtualization facility at the processor level without applying any sound security policy is a serious design flaw.

2. A malware authors’ job is to leverage system design flaws and hence the virtualization rootkits were very expected, including Blue Pill.

3. There is no rootkit that is undetectable even if it installs itself as a hypervisor   The challenge is always in how to repair rootkits once they control some layer in the system architecture

4. There needs to be a more organized effort between hardware virtualization vendors, software hypervisor providers and security companies to ensure the secure deployment of virtualization solutions