Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations

 

Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations

How early VM-based rootkit research shaped the architecture of modern system defense

 

 

“To understand the immeasurable, the mind must be extraordinarily quiet, still.”
— Jiddu Krishnamurti

 

 

Seeker(李标明) · @clibm079    

China · Independent Malware Analyst & Researcher 

From 2025.10.22 to 2025.10.29

Prologue: Non-VM-Based and VM-Based Rootkits

Last time, on 2025.10.14, I published a report about “Regin Static Analysis of Its Lightweight VFS Abstraction Layer” and other rootkit reports the day before, they were old classic or legacy rootkits.

 

The legacy rootkits were extremely popular; this era is considered to be the golden age of rootkits. For personal record of study, I might define the golden age as something like “Approximately 2005 to 2014 (±1 year).”

 

So I was very curious about the rootkit’s revolution and what’s happening from 2015 to 2025. I keep seeking and noted both SubVert and Blue Pill, which are modern rootkits called virtual machine-based (VM-based) rootkits. They are surprising me. So here I would like to share my study and personal view.

 

Before beginning, here let’s call the classic or legacy rootkits as non-VM-based. So it is a little bit clear and an intuitive way to categorize them for my study or personal perspective. Now, there are two types of rootkits: non-VM-based and VM-based rootkits.

 

 

Non-VM-Based Rootkit

About this type of rootkit, as we know, they operate within or on top of the OS, without using a hypervisor. Typical targets are like kernel structures, device drivers, MBR or boot sectors, which they do with techniques SSDT hooking, DKOM, file hiding, process hiding, and rootkit loaders in kernel space.

 

Yes, they run in kernel space. Classic rootkits operate in kernel space alongside the OS kernel, sharing the same privilege level and trust boundary. That colocation is a fundamental design flaw and risk: it makes the kernel a single point of failure, enabling rootkits to fully subvert the OS, hide from inguest defenses, and maintain persistent control.

 

Classic or legacy rootkits, non-VM-based rootkits, mainly need deep OS and kernel knowledge; they don’t normally require microarchitecture expertise or hypervisor-level CPU internals.

 

 

VM-Based Rootkit

About this new type of rootkit, like SubVirt and Blue Pill, they operate beneath the OS, using virtualization as a stealth layer, installing a thin or mini hypervisor to control the guest OS, intercepting OS operations from “underneath.”

 

Here, let’s go back to history to have a simple summary about SubVirt and Blue Pill. First to talk about SubVirt and then Blue Pill.

 

SubVirt: Implementing malware with virtual machines

Figure 1: from the original SubVirt report.

 

This new type of malware, called a virtual-machine-based rootkit (VMBR), inserts a minimal host operating system and VMM into the boot process. SubVirt alters the boot chain and forces the original operating system to run as a guest, fully controlled from the underlying hypervisor layer.

 

 

Blue Pill idea

Figure 2: from the original BH-US-06-Rutkowska report.

 

The Blue Pill proof-of-concept demonstrated a different threat vector from SubVirt: rather than re-platforming the boot sequence, Blue Pill showed that it leverages CPU virtualization extensions to start a mini hypervisor that could be launched beneath a running OS, migrating the OS into a guest instead of modifying the boot chain. It is very powerful because it shifts trust below the kernel without obvious boot artifacts.

 

 

The Challenge of Creating a VM-Based Rootkit

However, the implementations in SubVirt and Blue Pill highlight that compromising the system at the hypervisor layer requires a high degree of sophistication and is extremely hard to achieve in practice, because they must master them very well, at least as follows:

1.      Deep CPU or microarchitecture expertise and ability handle CPU virtualization (VMX/SVM).

2.      One must implement a mini host OS and VMM.

3.      Complex memory & device virtualization.

 

Just the above knowledge and techniques to master are very difficult for most people to create that type of VM-based rootkit. In my personal view, it’s not an average APT, but a nation-state-level APT can do it. And to defenders, they also have to raise themselves to the same or higher level.

 

 

VM-Based Rootkit Ideas Finally Become Defense Policy

In 2006, they were both modern proof-of-concept hypervisor rootkits, Today, the ideas behind VM-based rootkits are no longer just theoretical. Modern systems use virtualization to protect critical code, isolate sensitive data, and monitor for malware, after all for defense. Here are just some real-world applications:

1.      Cloud Security isolate sensitive workloads in protected mini-VMs.

2.      Application IsolationQubes OS.

3.      Operating System Protection – protect kernel code and credentials.

 

Yeah, today the idea and perspective are implemented as the main defense policy and trend, with deep implications for modern OS (Windows & Linux): as OS vendors and security products incorporate virtualization-based security (VBS, HVCI, and VM introspection).

 

In order to further understand what the core change inside is, I think it is important. Let’s extend to explain them simply as follows:

1.      VBS (Virtualization-Based Security): It creates a mini-OS via hypervisor. The purpose is to isolate critical Windows processes & secrets.

2.      HVCI (Hypervisor-Protected Code Integrity): It is a part of VBS and blocks unsigned drivers; the purpose is to enforce kernel code integrity.

3.      VM Introspection (VMI): It is used for stealth malware detection; the purpose is to monitor the VM from outside.

Figure 3: Modern Virtualization-Based Security Stack.

After all, VBS, HVCI, and VM introspection are different mechanisms that leverage virtualization to build a foundation for modern system security.

In other words, a classic rootkit is a big challenge to live and persist in in this type of environment.

 

 

Conclusion

The VM-based rootkit idea, like SubVirt and Blue Pill, came from a completely new structure design mindset in modern system defense, which makes defensive policy a very high-level evolution in the modern cybersecurity field; it highlights progress on the defensive side and being positive.

 

And until now, we haven’t seen publicly confirmed, widely deployed VM-based rootkits in the wild that match the scale or stealth claims of the early proof-of-concept like SubVirt or Blue Pill.

 

While VM-based rootkits are extremely rare, the attacker mindset they introduced has already materialized in the wild through UEFI firmware bootkits like LoJax (2018), ESPecter (2021), and MoonBounce (2022), The dates above represent approximate timelines, which provide similar stealth advantages by operating beneath the operating system. These look like a practical evolution as the attacker’s perspective.

 

Revisited the SubVirt and Blue Pill and the evolution. Nowadays, a new battle is taking place between attackers and defenders of modern computer systems, and they go forward with mutual promotion, truly incredible!

 

Epilogue: What the SubVirt and Blue Pill Taught Me

1.  The type of VMBRs like SubVirt and Blue Pill taught me too much to learn.

2.  The security field is an area that requires active response. Due to its inherent adversarial nature, learning and practice are continuous.

Annotation: In all the sentences I wrote and used the word “you or your or yourself” in, it talked to me or “the malware sample itself, especially in my poem I did”, not the reader. I must clarify my motivation.

 

 

 

 

 

 

 

 

 

 

 

 

 

 


References

[1]. https[:]//www.microsoft.com/en-us/research/wp-content/uploads/2016/02/subvirt.pdf?msockid=3358b4e5e04c69682295a69be12a689f

[2]. https[:]//theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html
[3]. https[:]//en.wikipedia.org/wiki/Blue_Pill_%28software%29

[4]. https[:]//blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf

 

 

 



“Do or do not, there is no try.”
Master Yoda

 

 

End of Report

 

Seeker(李标明) · @clibm079    

China · Independent Malware Analyst & Researcher

Comments

Post a Comment

Popular posts from this blog

Deobfuscating APT28’s HTA Trojan: A Deep Dive into VBE Techniques & Multi-Layer Obfuscation

Image
  Summary I have recently noted that APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations, and the report from sekoia.io , the third part of the report referring to HATVIBE and CHERRYSPY infection chain, which related to another report from CERT-UA , attracted me to the extension. That sample is heavily obfuscated, so here it is, for this analysis, we will focus on doing deep dive with x32dbg debugging. Base on the last report title “ Unveiling APT28’s Advanced Obfuscated Loader and HTA Trojan: A Deep Dive with x32dbg Debugging” posted in 2025.02.25, But now on this report I will make a further process into the algorithm that decodes APT28’s HTA Trojan; it is very interesting to dive deeper inside. In brief, I am so excited to see what’s happened and what evasion technique it used.   Technical analysis The sample HASH md5 d0c3b49e788600ff3967f784eb5de973 Sha256: 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725 ...
Read more

Static Analysis of Turla’s Uroboros: Revealing Core Tactics and Technical Mindset

Image
  Though over a decade old, Uroboros reflects a level of technical mastery and creative mindset that still challenges analysts today     “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti   By Seeker( 李标明 ) China Independent Malware Analyst & Researcher Download the Full Report (PDF) Prologue: The Temple and the Kerne l Recently, I still climbed a mountain and visited the temple again and again. Here, I keep moving to find more. In fact, to be honest, I’m still facing a lot of unknowns to learn, and that means continuing even when I’m confused or overwhelmed . And I like to do internal observation as my daily habit.   Most call it snake and Uroburos. I notice that Kaspersky used Uroburos or Uroboros in 2014 or 2015, but I like the name "Uroboros." Yeah, they are the same thing.   In this report, the first important thing is to do a simple static analysis and grasp their ...
Read more

The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions

Image
Summary   First thanks for Szabolcs Schmidt was calling global malware analysts to analysis the samples on X, I’m really appreciate his work and he is helping to make cybersecurity more safer and stronger. In this report, I do plan to dive deep into more details of the advanced Trojan dropper; it looks like obfuscation mechanisms, but until now, their true intentions have been unknown. The Trojan dropper is very intriguing and different from other APT groups. If you are keen to learn from the latest and related report, please click here .   Technical analysis   Basic info The sample hashs: md5 A699AFD908E0DEC5C96FF7188450B89F Sha256 f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c   Operation system: Operation system: Windows(95)[I386, 32-bit, GUI] (Heur)Packer: Packer detected[High entropy + Section 1 (".data") compressed]     Advanced string obfuscation Mechanisms? The strings in the malware Trojan d...
Read more