A rootkit is a selection of modified standard programs that usually replace (among others)
ls ps netstat users and pretty much everything else you would use to check your machine. It will also include a backdoor. Sometimes the primary part of the rootkit is either a module or a complete replacement of the kernel with one that does not respond to the normal users (root) with any info about the new owner. Rootkits are *INSTALLED* after a successful root exploit.