This root kit idea is much more in the style of old school root kits rather than something like modifiying data dictionary views to hide the user.
The first post is titled "My Oracle rootkit experiment" and is a great read.
Today Dennis has posted a second installment on his blog titled "My Oracle TNS Listener rootkit experiment.". This post looks at this time modifying the TNS listener binary by intercepting the function snttread() which is like a wrapper around recv() on Unix. This time the magic word is not the username "root" but the string for the command "/bin/sh" - the borne shell. The packet shoulkd include the "magic word" and then the shell is launched instead!!
To exploit this Dennis simply used netcat to connect to the listener port number and he immediately had a shell!, again very interestingly there is nothing written to the log files except that a TNS-12502 is written. This is not totally uncommon so analysing whether this root kit is installed via this error is difficult. Also because if you are clever enough to implement these modifications you can very easily change the C and make it harder to detect. These are traditional rootkit techniques and traditional methods to detect them are needed.
Remember these are backdoors not exploits, you need access to modify the libraries in the first place.
Also its nice to see that Dennis has automated some of the install with pythin scripts. Great posts Dennis!!