Why rootkits?

Since early 2005, rootkits have been one of the most intriguing aspects of the malicious code industry. We've all known about rootkits for ages, on both Windows and Unix/Linux OSs, but this writer first encountered one in the wild in early 2005. If you have grown up children, and you're good at computers, it turns out that you get to be Tech Support Of Last Resort. If ever they have a machine at work that they can't clean, they bring it home to dad. One afternoon in March 2005, I encountered the first machine that I couldn't clean, and in fact, I killed it trying. In time, I came to understand that it was a rootkit. I started digging around to find out about them, and have been fascinated ever since.

What's a rootkit?

In simple terms, a rootkit is code that modifies the operating system, so that it controls the operating system, and it typically uses that control to hide from things that would like to remove it, for example, anti virus or anti spy programs.
In slightly more complex terms, when a computer boots, there is a chain of activity, which eventually loads the operating system that the user sees, be it Windows, OSX, or Linux. The "chain of activity" is quite complex, and starts with some hand-written assembler code, in the firmware, which hands control off to some extra components that try to assure that the boot process is secure, and which initialize drivers for the devices on the computer, and which eventually decide which device to boot the operating system (the o/s) from, and then load that o/s.
Again, in simple terms, there is an arms race between attackers and defenders, to try to intercept the boot process further and further down the chain.
It's sort of a cyber limbo dance ... whoever can get the lowest, wins.