How about the statically linked emergency boot shell? Now every shell script is a "statically
linked app." Also, someone could purposefully statically link an otherwise innocuous bit of
code and use it as a conduit. That is, the "installation" procedure for some bit of malware
might include an additional level of indirection.
LD_PRELOAD could work for many things, but it strikes me as leaving too many holes, more than
the "scan on open" approach does. (Now, if "scan on open" also made a temporary read-only
copy for all readers/executers, a'la RCU, you might have something!)