"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at the hypervisor level between the hardware and operating system and controls direct measurements—i.e., those internal to a system.
The only problem is, by day's end, Rutkowska revealed that the methods simply don't work as advertised. "
"In her presentation, "IsGameOver(), anyone?" Rutkowska refuted Matasano's, Symantec's ability to detect Blue Pill and described ways to run away when somebody's trying to track the rootkit using timing determination.
First, Rutkowska outlined the Blue Chicken defense. This technique involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebody's trying to do a timing attack on the rootkit. In that case, she removes the hypervisor."
I got to see Joanna's talk and it was rather amusing.