Internet News has a story about popular firewall software — including the package I use, Norton Personal Firewall — failing to stop outbound traffic that would be generated from something like a trojan or a virus.
The key for the Norton package is automatic rule-based outbound permission schemes. Basically if you foolishly choose the wrong option, Norton just assumes that if a program identifies itself as Internet Explorer, that it really is Internet Explorer and simply lets the outbound connection go through. Not a good idea.
As Steve Gibson, who wrote a utility called LeakTest to test the ability of various firewall programs to stop these sorts of trojans, says, “This idea of allowing all these apps pre-approval is ludicrous. It’s trivial to get permission out of the firewall without notifying the user.”
Norton replies that if you’re running a virus checker and the firewall the risk is minimal — but they’re going to update their software anyway. Gibson endorses ZoneAlarm which uses cryptographic signatures of pre-approved applications to make sure it’s really IE rather than a trojan or virus trying to make an outbound communication.
And yes, I’ve found these sort of things on my system, though how they got there I haven’t a clue, so the risk is real.