“The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection” by Stefan Axelsson. Proceedings of the 6th ACM Conference on Computer and Communications Security, 1999: http://portal.acm.org.
If a machine is compromised, it is entirely possible that kernel space itself has been corrupted with a loadable kernel module. This would enable command execution to be intercepted from within kernel space, and so critical system binaries would not need to be modified to contain backdoor functions. See, for example, the Kernel Intrusion System: www.uberhax0r.net/kis.
For more information about how the /etc/passwd and /etc/shadow files are constructed, see the respective man(5) pages.
ViewCVS is available for download from: viewcvs.sourceforge.net.