A rootkit is a selection of modified standard programs that usually replace (among others)
ls
ps
netstat
users
and pretty much everything else you would use to check
your machine. It will also include a backdoor.
Sometimes the primary part of the rootkit is either a
module or a complete replacement of the kernel with
one that does not respond to the normal users (root)
with any info about the new owner.
Rootkits are *INSTALLED* after a successful root
exploit.
