[woodman]

No, that is really wrong. Rootkits aren't for privilege escalation, see the paragraph immediately following your quote:

"... an attacker can install it once they've obtained root or Administrator access."

Calling BO a backdoor is a major corruption of the word, as you loose the only word for describing intentionally weakened security - so that you may describe a thing which already has several more explicitly defining names: malware, trojan, dropper, etc.

[jdmichal]

The installation of the rootkit is different from its purpose. A rootkit may require a root permission to install, perhaps piggybacking on another legitimate install such as in the famous Sony BMG rootkit. Or it may use an exploit to gain root access and install.

However, once installed, the purpose is the same: To provide the attacker with root permissions. It will also typically use its access to root permissions to hide itself from detection.

[woodman]

> A rootkit may require a root permission to install...

This sort of phrasing is misleading. If your OS restricts security sensitive kernel functions to the root user (hint: 99% of OSes do), then it isn't "may" - it is "must". Are there wrapper scripts that run privilege escalation exploits before installing the rootkit? Yes. Doesn't that make the exploit part of the rootkit? No, they are two very different things performing two different functions and are capable of operating independent of one-another.

> ...the purpose is the same: To provide the attacker with root permissions.

No, it is to allow code to run at the same privilege level as the kernel itself. Unrestricted loadable kernel modules. Think that is a distinction without a difference? OSX disagrees, as does Windows.

[jdmichal]

Regardless, the point of a rootkit is to provide an execution context with escalated privileges. Whether that means root user, kernel space, System user is I would think depends on the specific rootkit. (Whose name, of course, points to "root" privileges.) Which was my original definition and is inline with the posted definition from Wikipedia.

[woodman]

Well I guess we won't come to an agreement, because it seems that whatever reason you prefer a very loose definition. For example, you just couldn't help yourself in confusing the privilege escalation point: "...context with escalated privileges." The rootkit isn't escalating anything, in the same way that LKMs, bootloaders, tracetools, or drivers don't escalate - it executes at or below its own privilege level.

[jdmichal]

I'm obviously not communicating my point well. Let's try this:

A backdoor executes in a remote machine. It allows attackers to access that machine.

A rootkit executes in a "remote" privileged context. It allows attackers to access that privileged context. It's in this context that I refer to escalation; it allows the attacker in a non-priviledged context access to a privileged context; aka escalation. And yes, the actual escalation already happened in the past, when the rootkit was installed. However, a non-priviledged user is still gaining illicit access to a privileged context at the moment that the rootkit is utilized.

Also, at this point I think we're splitting semantic hairs that don't really matter, aside from pedantry.

[woodman]

Well I do appreciate you trying, but I disagree with you that it is pedantry that doesn't matter. This conversation is the best possible example of why we can't allow the corruption of previously well defined words - it causes confusion for no good reason.

A backdoor doesn't need to be remote and the user isn't necessarily an attacker. It is simply a secret method of access that the designer put in place, it isn't designed for end-user use. It is almost always security through obscurity, and it is always a bad idea. It can be activated in a variety of ways: port knocking, hardcoded passwords, preinstalled remote software, shorting ground to some magic pin, an undocumented serial terminal, etc.

A rootkit doesn't need to be remote and the user isn't necessarily an attacker. It doesn't need to have any functionality for user interaction - which means no "escalation" occurs (It could simply scan memory for passwords and log them to a file). It runs above user space, and can therefor be completely hidden (but it isn't always, see DTrace). It runs with the same privileges as the OS that it is part of. That is important to keep in mind, the rootkit becomes part of the running OS - that could mean any of the OSes running in your tower (CPU, HD firmware, BIOS, etc).

Your definitions work fine in a vacuum, but they quickly fall apart in real world usage. For example, by your definition: a remotely accessible privileged service is a rootkit, because an unprivileged internet user can interact with it - accessing data and executing code in the service's privileged context. 'sudo nginx' is not a rootkit.