Rootkits can run in user mode or kernel mode. The user mode rootkits are generally the simpler ones and easier to detect. Kernel mode rootkits run more or less on par with the operating system, making them extremely difficult to isolate.
A variation, called "bootkits" can attack even a full disk encryption system by replacing the boot loader. In fact, rootkits can even been shown to be effective on virtual systems by hosting the target operating system as a virtual machine.
Tools built to detect rootkits can be free or frightfully expensive, so difficult to use that you need a consultant to help you tell the good stuff from the bad stuff, or simply ineffective against all but the oldest or most common rootkits. While many of these tools might prove to be quite valuable in detecting and removing rootkits, a system hardening process that significantly lessens the chance that a system you manage is targeted should be set in motion as a first step toward keeping the nasty rootkits at bay.
Rootkits have somehow kept a low profile -- at least in the eyes of the typical computer user, maybe in part because they are paired with other infections that get credit for what they do. But they are just as much, in fact considerably more, of a problem as ever.
Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.