Kernel mode: Rootkits targeting the kernel represent a grave threat. The kernel is an operating system's core, managing critical processes and interactions between hardware and software. When rootkits infiltrate the kernel, they achieve a privileged status, enabling them to manipulate system functions and processes at a fundamental level. This privileged access grants them an elevated perch to enact nefarious activities, all while evading the watchful eyes of security software.
User mode: Rootkits that infiltrate the user mode manipulate system files and settings, attempting to blend into a user's everyday activities. Operating here allows the rootkit to manipulate system behavior, remain inconspicuous, and use data and processes with an appearance of legitimacy. This user mode camouflage will enable rootkits to continue their activities undetected, often bypassing security mechanisms.
Persistence: An essential trait of rootkits is their determination to remain embedded within a system. Rootkits are designed with persistence, ensuring their survival even through system reboots. They employ techniques to reestablish themselves after a reboot, allowing them to continue their covert operations, even after initial detection and removal attempts. This longevity poses a challenge for defenders because traditional removal methods might not wholly eradicate these intruders.
Concealment: To successfully carry out their subversive activities, rootkits must maintain their covert status. They achieve this by manipulating system calls and APIs, the gateways through which software communicates with the operating system. Using these communication channels, rootkits effectively mask their actions from security software and monitoring tools. This concealment technique allows them to evade detection attempts.