The obvious is that you think you're running "su" but you're really running some other command because your PATH is ~/.trojans:/bin:/usr/bin. They may not have immediate control, but they'll get it eventually.
That's after you run su. Just to be clear, I'm talking about an attacker fiddling with your path so you run fake-su, stealing your password, then calling su and making it look like nothing shady happened. By the time su is running, it's far too late for it to do anything.
