I realize that this thread is fairly old, but I found something that demonstrates a point that slarty made here.

2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
I read this thread recently, and I wondered how netstat could be fooled and today I came across a program that demonstrates how this can be done. I took this quote from a text file that came zipped with it:

Many tutorials on how to determine if your computer's infected with a trojan tell you to run "netstat -a" to see if any ports are listed as "listening", because "listening" ports can be trojans. In all honesty this was a good idea, because netstat never lies... or does it? I have to admit that netstat was my usual way of checking for trojans, until now. I was wondering how you could hide the fact that there was a trojan installed on one of your victim's computers... the authors of these trojans go through great effort to hide the trojan from Windows and so on, but netstat still wins. Not anymore.

My program requires you to rename the original "netstat.exe" to "systray.exe" (they are almost identical in size - the original systray.exe is in the "system" directory), and then upload MY netstat to their windows directory (in place of the old netstat). The next time they run netstat to check for trojans, it wont show certain ports (four in total) : 666 (dunno), 27374 (Subseven - the best trojan out there!), 31337 (Back Orifice - yeah cDc man !!!) and 12345 (NetBus I think?). Anyway - if you want to change any of these ports (I can only think of a billion reasons why you might want to), just modify the source code and recompile, in Turbo C++. Consider your victim 0wned !!!
I left out the name of the program to avoid causing a stir.

Just thought it was worth mentioning incase anyone was confused about this like I was.

~FrameWork