Deep Packet Inspection these days is considered a layer 7 technology. Depending on how you think of the OSI model DPI could be as simple as normalizing HTTP requests for unicode, or SMTP data/headers for spaces, or as complex as handling DCEPRC fragmentation and SMB transaction state tracking. Snort supports all of that, and much more in its protocol decoders. Allowing it to work with higher level constructs like please find me a DCERPC packet with UUID bind handle of XYZ and OPNUM 4.

Additionally most malware doesn’t open up a secure back channel that is completely encrypted. Most malware communication works over existing non encrypted channels so that is harder to profile. If the entire connection was encrypted finding stuff like this wouldn’t be all that difficult.

So the malware authors go with something like this.

POST /someurl/google.cgi?oid=XYZ HTTP/1.0
Headers:
foo=ipaddres; bar=oid; tracker=uuid; data=encrypted info bad guy wants;
Maybe some other encrypted data here

This allows for plenty of room for matching / parsing / finding bad things like this.

You might also want to investigate the numerous netflow analysis products in the marketplace, as they aren’t simple connection trackers. But more on that in my comments to your second post.