When leak testing started there were only a few examples of malware that used any of these concepts and it was believed at the time these were targeted attacks. That was before the malware explosion. There are many different leak tests. If I counted right Matousec has 66 tests. Because these are not actual malware they are properly classified as proof of concept. My question is, out of these many leak tests, which are in wide use by contemporary malware? Some other things to consider: 1, The majority of PC's use either the default XP (and now Vista) firewall lacking outbound control. 2. The most widely used third party firewall is Zone Alarm Free which has only minimal leak control. 3. As best as I can determine, totally disabling the firewall is the most common technique used by malware writers to facilitate communitation. 4. Gkweb makes a point over at firewallleaktester that any firewall where svchost communication on ports 80 and 443 is not limited to seven (for the US, there may be others) Microsoft update address ranges may be bypassed using background intelligent transfer service. I have have found his advice useful previously. In some firewalls this limitation is easy to implement, in others very difficult. Points 1 though 3 suggest that there is enough low hanging fruit that malware authors don't have to bother with complex strategies to fool firewalls. Point 4 suggests using BITS may be the method of choice. However, the famous Storm worm uses a modified P2P protocol, and IRC is popular as well. Some of these tests are also likely to be more difficult to implement or keep hidden than others which could reduce their use by malware authors. So, anyone, where are the real risks, and is it BITS or something else?