Unfortunately I do not have the link any more,
but for years i read a description for Windows how to detect a trojan that are do not use the normal IP-Stack.
(It mean 'netstat -utapn' can not see them)
The procedure was as follows:
Dumping the RAM to an Image on Disk, and analyze them.
Know everbody a instructions for the same procedure on Linux ?