For a good example of this, take a look at Brian Krebs' story from 19 Feb 06.
What I thought was most interesting about the F-Secure blog entry was this:
These changing Haxdoor variants are generated with a toolkit known as "A-311 Death".
The toolkit itself is sold on the Internet by its author, known as "Corpse" or "Korpsov".Okay, this is nothing new, either. Selling malware toolkits or custom rootkits is nothing new, either. This toolkit is based on Haxdoor. I started taking a look around and I found some interesting links. One was from the nmap-dev list...it's a discussion of a service detection signature for rootkits produced from this toolkit.
My post on Gromozon has some links to rootkit detection software.
McAfee Rootkits: The Growing Threat paper
Symantec C variant, D variant