Sophisticated OS X Backdoor Discovered

[stcredzero]

rootkit comes from unix, it was a tool helping to restore admin privileges even after the admin found that the host was hacked (that's where the name comes from root = admin on unix). Its goal was to be invisible.

Are you sure? It also commonly referred to such kits being used by hostile parties. I've personally interrupted an attempt at installing the "Hungarian Rootkit" in the 90's. (I put unpatched Red Hat 6 online when Red Hat 7 was out.)

(that's where the name comes from root = admin on unix)

The fact that you think this is something that bears explaining is interesting in the context of HN. I hope this is based on something you've noticed about recent user trends here. There was a time when someone would be very surprised if a user here didn't already know this.

[takeda]

I see my response was ambiguous. Of course I meant rootkit was always malicious. It was used by intruder to gain root back after admin though he restored the host after being hacked.

Rootkits are the reason why it is recommended to wipe the whole system after being hacked, because you can't be sure there there wasn't anything installed.

[Whitestrake]

> It also commonly referred to such kits being used by hostile parties.

I suspect that's exactly what he means - a rootkit is deployed by an intruder so that when the admin discovers the host has been compromised and patches the vulnerability, the rootkit, if not addressed, will grant the intruder root capabilities once more.

[caf]

Right. a "rootkit" was a kit of tools you deploy once you have obtained root (on someone else's server).

[cmdrfred]

I always thought of them as a way to gain root. As in privilege escalation.

[detaro]

A rootkit might come with tools for that, but the actual rootkit generally requires you having root (or some other privileged role) to deploy it. E.g. a Linux rootkit commonly is a kernel module, which you can only load if you have already obtained root privileges.