A rootkit is a software system that consists of a program or combination of several programs designed to hide or obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator access, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of changes to the actual accounts on the system.

Rootkits may have originated as regular applications, intended to take control of a failing or unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.

History

The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that surreptitiously granted root access. If an intruder could replace the standard administrative tools on a system with a rootkit, the modified tools would allow the intruder to maintain root access over the system while concealing these activities from the legitimate system administrator. The earliest known rootkit was written in about 1990 by Lane Davis and Steven Dake for SunOS 4.1.1.Fact: date=August 2008 There was an earlier exploit equivalent to a rootkit that was perpetrated by Ken Thompson of Bell Labs against a naval laboratory in California to win a bet.Fact: date=March 2009 Thompson subverted the C compiler in a distribution of Unix to the Lab.

A rootkit cannot elevate an attacker's privileges before it is installed on the target system. Installation requires the intruder to have root or administrator access, which may be achieved by having physical access or exploiting a security vulnerability that allows privilege escalation in a computer system. Alternatively, the installation program of the rootkit may simply be started unwittingly by an administrator, for example via a Trojan application. Once installed, the rootkit maintains administrator-level access over time by subverting the system in some way, and actively hides its presence from other processes.