Types of Rootkits
The simplest type of rootkit and the easiest type to detect and remove operates at the user level. These rootkits can replace a user application with a modified program of their own. They are fairly easy to detect because one can trust the kernel of the operating system. User-mode rootkits can be injected through a variety of different mechanisms including the use of vendor-supplied application extensions, the interception of messages, debuggers, the exploitation of security bugs or API patching.
Another type of rootkit operates at the kernel level. These rootkits are harder to find and remove because one can't fully trust the kernel on which the rootkit has been installed. Malicious hackers have the ability to delete logs and replace system calls in order to hide their tracks. This type of rootkit is usually installed as a Linux Kernel Module (LKM). Some common kernel-mode rootkit variants include bootkits - or rootkits that can infect startup code like the Master Boot Record, firmware and hardware.
Here is a tutorial that explains how to write a very simple LKM that will allow you to get instant root on whichever machine it is installed on. Modules like this one can be used to masquerade the actions of a threat actor.
Here is a list of awesome user-mode and kernel-mode rootkits - mainly for older kernels - you’ll want to check out.