Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected. Dino Dai Zovi is a principal member of Matasano Security where he performs consulting engagements as well as research and development. Dino is a computer security professional and researcher with over 7 years of experience in software, web application, and network penetration testing, application and operating system source code review, cryptosystem design and review, malware analysis, security tool development, and Red Team security analysis for Fortune 100 firms and federal government departments and agencies. Dino's other research projects include KARMA, a wireless client-side security assessment toolkit, and Viha, the first monitor-mode wireless driver for Apple's AirPort 802.11b network cards."