Quoting John Franklin (franklin@???):
Technically, a rootkit is not a threat but rather a minor after-the-fact
sequel to a threat and succesful attack. It does not embody an attack,
itself. Rather, it's a method of hiding from the legitimate
administrator the covert activity of an intruder who has already
achieved control of the system through other means.
The taxonomy of 'malware' I include in
http://linuxmafia.com/~rick/faq/#virus5 might be helpful.
I'm quibbling because the IT press, misguided on this particular point by
antimalware/security firms in pursuit of their commercial agenda, have
confused many this matter. To quote from my virus essay:
That incompetent reporting sometimes has extremely damaging
consequences: In 2002, British authorities arrested [link] the alleged
author of the T0rn rootkit, based on their mistaken notion that it's a
"Linux virus". (My efforts to get the Reuters / NY Times story corrected
were ignored, except by cited anti-virus consultant Graham Cluley, who
told me he'd been misquoted.
(I was not intending to otherwise enter this discussion. FWIW,
I agree that code-signing has utility, modulo frequent issues over key
management.)