Microsoft Research (MSR) along with University of Michigan have an interesting paper that showcases a new type of malware specifically for Virtual Machines and hosts running the VM’s (Hper-V, VMWare Server, etc). This malware installs a monitor underneath the host of the VMs as a Virtual Machine Monitor (VMM). All VMM’s run in Ring 0 (kernel mode).

Essentially this is similar to a rootkit and they call this a VM based rootkit (VMBR). A VMBR looks to get itself installed underneath the host and essentially runs the target OS as guest. It needs to manipulate the boot sequence to load it self before the ‘guest’ OS. This allows them to run silently with the ‘guest’ OS not even aware of their presence. Of course this makes their detection quite difficult (if not impossible) by the ‘guest’ OS.

They go on to implement a couple of prototypes which subvert both XP and Linux. The paper discusses ways to detect and prevent VMBR’s such as such as security software running even below the VMBR in an isolated layer which is not controlled by the VMBR. Another option is to boot up from a ‘safe’ medium like a ROM drive or a secure VMM which won’t stop a VMBR, but can at least help detect it.