This does not look like a new development in rootkits. If I understand the article's summary: there's a rootkit that sets a hardware breakpoint on the memory it overwrote in the kernel, and checks to see if access are normal or abnormal; for abnormal access, it subs in fake value for the contents of that range of memory.<p>If you want to see where the state of the art in rootkits was in 2007(!), read:<p><a href="http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt.pdf" rel="nofollow">http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt...</a><p>...noting that this is Joanna Rutkowska explaining how to reprogram MMUs (here with MMIO remapping) to defeat <i>hardware DMA memory forensics</i>.
Once your trusted space is compromised (the kernel space in this case), trying to detect or fix the compromise from that same space turns into a game of Core War: <a href="http://en.wikipedia.org/wiki/Core_War" rel="nofollow">http://en.wikipedia.org/wiki/Core_War</a><p>Scanning for rootkits from a hypervisor would solve this problem... as long as your hypervisor isn't compromised itself!