When you listen about rootkit and if you are a linux user first thing that comes to your mind will be this has some thing to do with root user. And, you are not wrong but it's a part of it. Let's define it formally.
Rootkit is a program that can hide itself as well as other running processes, files, network connections from the host where it is running.
The main goal is to run incognito meaning running in the background for as long as it is possible.
It aims to hide the traces of intruder by manipulating processes, open files, network activity, changing access rights/permission of different files and directory.
One of the main goal of rootkit is to make sure that intruder have full remote access to the victim's computer all the time. For e.g: rootkit may establish a backdoor using ssh tunneling.
It also enables attacker to wiretapping and intercepting various system components may be sending data to a particular end point or installing a keylogger.
The biggest challenge that also differentiate rootkit from other types of malware is the fact that rootkit need to be installed with root privileges in the first place.
User-mode rootkit: A user-mode rootkit covertly replaces common UNIX binaries or libraries with infected versions to hide its existence and to gain root privileges if needed.
Kernel-mode rootkit: A kernel-mode rootkit operates on the system level and modifies or replaces the kernel which may have been affected in the boot process.
This is a good blog on Linux boot process.