How does a rootkit get installed?
The replacement of system commands, daemons and drivers cannot be done by a regular user. In other words, even if the account of a regular user is compromised, an attacker still cannot install a rootkit.
To install a rootkit, an intruder must somehow gain root user privileges. This can be done mainly by two methods. The first method involves the intruder compromising the root account or an account that can sudo as root. This can be due to a weak password, key logging or network sniffing.
The second method involves system services that have vulnerabilities. Some system services run with root privileges. If a vulnerable services (daemon) that runs with root privileges is compromised, then the “payload” of a malicious request can start to execute arbitrary code with root privileges.