"The thing is that someone has to execute some code to change it, and if so then malicious code has already been run."Wrong. You could have at least googled "LD_PRELOAD exploit" before writing this.
Setting LD_PRELOAD does not require running your own code. A real life exploit using LD_PRELOAD took advantage of a weakness in telnet server that let the connecting client export environment variables (yup, even before logging on - no local login required). Write access to a directory visible by telnetd was enough to plant own malicious *.so and then gain root access by exporting LD_PRELOAD via telnet.
