Modifying the kernel's view of the OS objects is the surest bet
to evade detection by "root" (the system administrator with full
access privileges). After all, root uses shell commands that
are implemented by the userland executables like "ls" and "ps",
which depend on the kernel system calls; so if the attacker manages
to intercept the system call implementations, the admin can be
kept in the dark.  

Classic kernel rootkit techniques date back to the early 2000s:

http://phrack.org/issues/58/6.html (2001)

http://phrack.org/issues/59/5.html (2002)

and even earlier, longer 1999: (note, this is for Linux 2.0, and we are at 3.19 :))

https://www.thc.org/papers/LKM_HACKING.html

In the light of these developments, the 2005 "Sony rootkit"
looked quite shabby. You can read its story at
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx