You can do about anything if the malware includes kernel-mode component. The majority of users are usually logged on as user with Administrator rights which has the priviledge to install and load drivers. So there is no actual problem for the malware to install such a component (it can be even the primary component of the malware).
Since such kernel-mode component can bypass firewall by many different ways, such as:
1) Execution in the context of priviledged process (even simply create thread in the context of System process),.
2) Blocking/cheating firewall components.
3) Using it’s own protocol module and working with network directly.
4) Working with TCPIP.SYS devices directly bypassing any possible upper level TDI filters.
5) and so on…