[mordocai]

No, that's wrong. Wikipedia has definitions that match my own knowledge, so i'll link and quote those.

https://en.wikipedia.org/wiki/Rootkit

"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software."

https://en.wikipedia.org/wiki/Backdoor_(computing)

"A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.

A backdoor may take the form of a hidden part of a program,[1] a separate program (e.g. Back Orifice may subvert the system through a rootkit), or may be a hardware feature.[2] Although normally surreptitiously installed, in some cases backdoors are deliberate and widely known. These kinds of backdoors might have "legitimate" uses such as providing the manufacturer with a way to restore user passwords."

[woodman]

No, that is really wrong. Rootkits aren't for privilege escalation, see the paragraph immediately following your quote:

"... an attacker can install it once they've obtained root or Administrator access."

Calling BO a backdoor is a major corruption of the word, as you loose the only word for describing intentionally weakened security - so that you may describe a thing which already has several more explicitly defining names: malware, trojan, dropper, etc.

[jdmichal]

The installation of the rootkit is different from its purpose. A rootkit may require a root permission to install, perhaps piggybacking on another legitimate install such as in the famous Sony BMG rootkit. Or it may use an exploit to gain root access and install.

However, once installed, the purpose is the same: To provide the attacker with root permissions. It will also typically use its access to root permissions to hide itself from detection.

[woodman]

> A rootkit may require a root permission to install...

This sort of phrasing is misleading. If your OS restricts security sensitive kernel functions to the root user (hint: 99% of OSes do), then it isn't "may" - it is "must". Are there wrapper scripts that run privilege escalation exploits before installing the rootkit? Yes. Doesn't that make the exploit part of the rootkit? No, they are two very different things performing two different functions and are capable of operating independent of one-another.

> ...the purpose is the same: To provide the attacker with root permissions.

No, it is to allow code to run at the same privilege level as the kernel itself. Unrestricted loadable kernel modules. Think that is a distinction without a difference? OSX disagrees, as does Windows.

[jdmichal]

Regardless, the point of a rootkit is to provide an execution context with escalated privileges. Whether that means root user, kernel space, System user is I would think depends on the specific rootkit. (Whose name, of course, points to "root" privileges.) Which was my original definition and is inline with the posted definition from Wikipedia.

[woodman]

Well I guess we won't come to an agreement, because it seems that whatever reason you prefer a very loose definition. For example, you just couldn't help yourself in confusing the privilege escalation point: "...context with escalated privileges." The rootkit isn't escalating anything, in the same way that LKMs, bootloaders, tracetools, or drivers don't escalate - it executes at or below its own privilege level.

[jdmichal]

I'm obviously not communicating my point well. Let's try this:

A backdoor executes in a remote machine. It allows attackers to access that machine.

A rootkit executes in a "remote" privileged context. It allows attackers to access that privileged context. It's in this context that I refer to escalation; it allows the attacker in a non-priviledged context access to a privileged context; aka escalation. And yes, the actual escalation already happened in the past, when the rootkit was installed. However, a non-priviledged user is still gaining illicit access to a privileged context at the moment that the rootkit is utilized.

Also, at this point I think we're splitting semantic hairs that don't really matter, aside from pedantry.