A successfully installed rootkit allows unauthorized users to act as system administrators, and thus to take full control of the 'rootkitted' system. Secondary to this purpose, most rootkits typically hide files, network connections, blocks of memory, or registry entries (eg, on Windows systems) from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes.
A rootkit which hides utility programs, usually does so to abuse a compromised system, and often include so-called "backdoors" to help the attacker subsequently access at will. A simple example might be a rootkit which hides an application that spawns a command processing shell when the attacker connects to a particular network port on the system. Kernel rootkits may include similar functionality. A backdoor may also allow processes started by a non-privileged user to run as though it were started by a privileged user (include the root user) and to carry out functions normally reserved for the superuser.
Many other utility tools useful for abuse can be hidden using rootkits. This includes tools for further attacks against computer systems with which the compromised system communicates, such as sniffers and keyloggers. A possible abuse is to use a compromised computer as a staging ground for further abuse (see zombie computer). This is often done to make the abuse appear to originate from the compromised system (or network) instead of the attacker's. Tools for such attacks can include denial-of-service attack tools, tools to relay chat sessions, and e-mail spam distribution. A major malicious use for rootkits is to allow the rootkit's programmer to see and access user names and log-in information of systems requiring them. Collection of such information from many systems (thousands or more) is easily possible. This makes rootkits even more hazardous, as it allows trojans to access this personal information while the rootkit covers it up.
