I was reading the "What is a rootkit ?" post and I'm confused about the difference between a rootkit and a backdoor. As I understood it, both :
Are a piece of code written by the attacker and injected in a system
Allow the access into the the system only to the user that wrote the code, or at least has knowledge of the code
Are hard to detect and to patch
So, are those terms similar and both can be used to mean the same thing ? Is one more generic than the other ?
Thomas Pornin's answer to the linked question starts off with a pretty good definition of a rootkit, I think:
A rootkit is a set of tools that you run on a target machine when you somehow gained access to it with root-level privileges. The point of the rootkit is to transform that transient access into an always-open door.
First, let's see how this fits with your points:
Is a piece of code written by the attacker and injected in a system.
"Injected into a system" is pretty broad, but accurate. It doesn't need to have been written by this attacker, though; they could've gotten one off-the-shelf, especially if it's using a common tool (like openssh) to keep the elevated privileges.
Allow the access into the the system only to the user that wrote the code, or at least has knowledge of the code
A rootkit allows an unauthorized user to gain root privileges if they know "the secret handshake" (whatever the trigger is for the rootkit). Authorized users (for instance, sysadmins) are still able to do the things they normally do. And another attacker doesn't need to know the specifics of the rootkit implementation, just the details of how to get it to work (the user interface, shall we say). A good example of this distinction is the Sony copy protection rootkit, which hid any process that matched a certain name pattern and was used by several unrelated pieces of malware.
Are hard to detect and to patch
Generally, yes, since the attacker has root access and all of the privileges that come with it.
A backdoor is a much more generic term, referring generally to some sort of way for an unauthorized user to gain access to a system. The name comes from the physical world, where you might have the front door to a building guarded, but a little-known back door that is unguarded (or more loosely guarded).
I suppose that a rootkit is a sub-type of a backdoor; the specific access it gives is persistent root access on a Unix-like system.
However, backdoors can cover a much wider area. One of the most common associations with backdoors is disgruntled former employees. Imagine that you had a developer working at your company on some sort of web app that has an administrative panel. Normally, the panel requires a valid username and password to access. However, this developer secretly added code that allows them to double-click in the top-left corner and bypass the login screen. This would be a back door (given access that they should not), but is not a rootkit (there's no root account here).
a piece of code written by the attacker and injected in a system
Not necessarily written by attacker, but could be intentional by developers. "System" does not have to mean "computer" but could also be software, which means you can have backdoors anywhere, but only rootkits are on machines.
Allow the access into the system only to the user that wrote the code, or at least has knowledge of the code
Rootkits do not always allow remote access.
Are hard to detect and to patch
I'm not sure this point is relevant in a description or delineation of either.
A backdoor allows access to someone who knows how to invoke the backdoor, e.g. a developer creates a way to skip around the authentication method intended to be used, or opens a 'secret' port only known to him/her.
A root kit is a piece of software installed on the machine that allows an attacker to do a number of malicious things, including opening a backdoor. A root kit is illegally installed on the machine without the owner knowing.
Think of the root kit being the tool that could allow a backdoor to be opened.
On every operating system, there are mechanisms to prevent access to a protected resource: Every protected resource can be accessed through functions called with elevated privileges.
A rootkit is a piece of software which interferes with the mechanism programmed to prevent access to a protected resource, in such way it can be considered an added part of the Operative System (nothing more nothing less than a kit).
If a part of system component has a bug (or a part of the installed antimalware has one), this bug can be used by the rootkit to overwrite the machanism with its own piece of code, so its presence will be undetectable; In worst cases, it could also act as substitute of a system component on an infected machine.
With a rootkit, you can elevate privileges for an unprivileged user, who can act as the system user (or root user depending on the system) without being a granted user.
If the rootkit has to be activated or used remotely, it must keep an opened door to receive commands and execute them locally on the infected machine; The undetectable door opened by the rootkit, is called backdoor.
Unfortunately, a rootkit can be also pre-installed by the manufacturer on the operative system without the owner knowing.
