This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits. Since the attacker has to go beyond the real kernel of the system to insert hypervisor rootkit at the virtual machine that runs on hardware, this is often misunderstood to be kernel rootkit. To understand more about the layering let us look at the following image:
The attacker runs a hypervisor rootkit on the virtual machine firmware in the system hardware, under the real kernel of the system. When a system is infected with a hypervisor rootkit, the system's kernelland has no clue that it is interacting with the hypervisor rootkit and not the real hardware. Hence, detection becomes almost impossible from any layers above. In rootkit analytics, the fact of who wins the war depends on the layer in which the detection and prevention takes place and the layer at which the rootkit is installed. Whoever goes closer to the hardware first, wins. Which means that if a user runs userland or kernelland anti-rootkit tools, hypervisor rootkits cannot be detected. Analyze this with the "age of empires", where a bribed knight poisons his king. Then he starts giving orders to the entire kingdom in the name of king, everyone is going to follow the orders believing that the orders really came from the king. Similarly in the case of hypervisor rootkits, the kernelland and above remains clueless about the fact that they are not running on the real hardware but on a virtual machine above the real hardware.
More to be added soon...
NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.