A few years back I wanted to run all ports on my windows box in full stealth mode and still have a FULL range of access options from the internet. I wrote a program that every few minutes parsed zonealarm logs for a pair of specified connection attempts within a specified time frame. If found a small server would open that I could start and stop proccesses for access to various other servers. I was planning to development an application to do this directly without zonealarm but it hit me, an open port need not acknowledge its presence to any kind of query (duh). So I accomplishes the same thing on a standard (stealth open) port.
The question then becomes how would you trace such a trojan when about any windows component even your device drivers can be full stealth servers.