...
On the compromised machine, libncom seems to provide access to the attacker. From what we have found about libncom, it hooks some of libc's system calls used by the system's deamons (be it ssh, ftpd, httpd, ...) and immediately opens a (root)shell when the attacker connects. By doing so, the rootkit would bypass any access controls (even tcpwrappers) built into the server, allowing her to get shell access through any service listening to the outside world.
...