Haxdoor - Advanced Rootkit design
This article by F-Secure describes one of the most advanced root kit design. With kernel mode networking API hooks it even has the potential to compromise SSL based security.
QUOTE: Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre. We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.