What is the difference between a backdoor and a rootkit?

Thomas Pornin's answer to the linked question starts off with a pretty good definition of a rootkit, I think:

A rootkit is a set of tools that you run on a target machine when you somehow gained access to it with root-level privileges. The point of the rootkit is to transform that transient access into an always-open door.

First, let's see how this fits with your points:

Is a piece of code written by the attacker and injected in a system.

"Injected into a system" is pretty broad, but accurate. It doesn't need to have been written by this attacker, though; they could've gotten one off-the-shelf, especially if it's using a common tool (like openssh) to keep the elevated privileges.

Allow the access into the the system only to the user that wrote the code, or at least has knowledge of the code

A rootkit allows an unauthorized user to gain root privileges if they know "the secret handshake" (whatever the trigger is for the rootkit). Authorized users (for instance, sysadmins) are still able to do the things they normally do. And another attacker doesn't need to know the specifics of the rootkit implementation, just the details of how to get it to work (the user interface, shall we say). A good example of this distinction is the Sony copy protection rootkit, which hid any process that matched a certain name pattern and was used by several unrelated pieces of malware.

Are hard to detect and to patch

Generally, yes, since the attacker has root access and all of the privileges that come with it.

A backdoor is a much more generic term, referring generally to some sort of way for an unauthorized user to gain access to a system. The name comes from the physical world, where you might have the front door to a building guarded, but a little-known back door that is unguarded (or more loosely guarded).

I suppose that a rootkit is a sub-type of a backdoor; the specific access it gives is persistent root access on a Unix-like system.

However, backdoors can cover a much wider area. One of the most common associations with backdoors is disgruntled former employees. Imagine that you had a developer working at your company on some sort of web app that has an administrative panel. Normally, the panel requires a valid username and password to access. However, this developer secretly added code that allows them to double-click in the top-left corner and bypass the login screen. This would be a back door (given access that they should not), but is not a rootkit (there's no root account here).


a piece of code written by the attacker and injected in a system

Not necessarily written by attacker, but could be intentional by developers. "System" does not have to mean "computer" but could also be software, which means you can have backdoors anywhere, but only rootkits are on machines.

Allow the access into the system only to the user that wrote the code, or at least has knowledge of the code

Rootkits do not always allow remote access.

Are hard to detect and to patch

I'm not sure this point is relevant in a description or delineation of either.

Tags:

Terminology

Malware

Attacks

Backdoor

Related

How do mobile apps maintain such long sessions while still being considered secure? Security implication of telling the user they can't login because of too many attempts from IP Why does a SSH server need a host key-pair? Is WhatsApp or Facebook Messenger secret conversation a reasonable method for transferring passwords? Why do some sites ask for username/email and password on two separate screens? Can a website download documents, images, or other information onto my iMac without my consent or awareness? Is laptop "secure sleep" mode theoretically possible? Strange code running at startup How trustful are KeePass plugins? Is the unauthorized deletion of data considered a breach of integrity or availability? Why would distributing via Google Play be more secure than distributing APKs? Sharing PGP keys

Recent Posts