Please read WFA pp. 308-328 if you haven't already.
What is a rootkit?
It's a modification, usually of the operating system itself or access to the operating system, in an attempt to hide the presence of malware.
What is Blue Pill?
It's a complete replacement of the user's operating system by a virtualized environment. While it is generally termed as a rootkit, the idea is that the only state that is the same is non-volatile or non-local state.
The first place to look is the venerable http://www.rootkit.com/. There's a lot there, and it appears to still be alive.
One prevalent idea is the idea of "crossviews"; you use any differences in the view from the suspect system and a different one to detect rootkits. Another is direct analysis (to the extent possible, at least) of memory from within a suspect system and what standard tools are telling you is there.