sorry i kind of smushed that all together.
it's either a buggy or replaced kernel module that they were able to get on the system or exploit on a system that already had it, and then load it when it is needed. then, to actually take advantage of the rootkit they were able to exploit a different hole in nginx.
i know this stuff is usually very focused in the nix world compared to windows servers. i also don't know or care to know anything about the hardware/software that GH runs on but it's hard not to know that the site runs on top of nginx when we see timeouts from time to time
the reason i was a bit alarmed and decided to post was because it affects a very stable kernel (the one used in deb6). creative destruction!