Во-первых, о внедрении руткита через /dev/mem писал даже Крис Касперски, и писал весьма давно. А во-вторых,
Filter access to /dev/mem (NONPROMISC_DEVMEM)
If this option is left off, you allow userspace access to all of memory, including kernel and userspace memory. Accidental access to this is obviously disastrous, but specific access can be used by people debugging the kernel.
If this option is switched on, the /dev/mem file only allows userspace access to PCI space and the BIOS code and data regions. This is sufficient for dosemu and X and all common users of /dev/mem.