Now, here's the part that's going to bake your noodle: While it's possible to detect the root-kitting of a normal PC with "hypervisor malware", how on Earth will you detect the Trojaning of a virtual image running on something like a VMWare box?
That's right, a virtualised root-kit affecting a virtualised OS. Try measuring "perturbed timings" then!
I suppose you could bloat up the actual virtualisation layer (like VMWare's hypervisor, for example) with an AV detection engine designed to scan for this sort of stuff, but ye gads, that means running security software at the virtualisation layer to monitor the operating systems that your other security software runs on! It's enough to turn a reasonable person quite insane.
This blogger muses about it here.