DCH keeps asking me about the acceptabilty of letting svchost run unfiltered for outbound network processing. Remember Conficker? Below is it's high-level operational write-up.
[Edit] BTW - new strains on Conficker are back in the wild. So much so Sophos has a new scanner/removal tool for it.
This is just one of a multiple of malware that have used svchost in the past. My opinion is that the lack of svchost.exe protection is the "dirty little secret" of the third party retail firewall industry.
A Static Analysis of Conficker
Like most malware, Conficker propagates itself in the form of a packed binary file. Our first step in analyzing Conficker consists of undoing the work of the packers and obfuscators to recover the original malware binary code. Conficker is propagated as a dynamically linked library (DLL), which has been packed using the UPX packer. The DLL is then run as part of svchost.exe and is set to automatically run every time the infected computer is started. After unpacking, we find that the UPX packed binary file is not the original code but incorporates an additional layer of packing. We use IDA Pro to remove this second layer of obfuscation and dump the original code from memory. To do so, we first run the Conficker service, snapshot the core Conficker library as a memory image, and from this code segment reconstruct a complete Windows executable program. The program requires a PE-header template, and we compute an entry point that allows the program to enter Conficker's code segment. This appears to be a clever way of making the analysis of Conficker a bit more challenging than usual. We now describe the static analysis of the original code, which reveals the full extent of the malware logic and capabilities.
Ref:http://mtc.sri.com/Conficker/