For something similar, there needs to be a way for iptables to store and reference a list of approved process names (not necessarily their access patterns such as dest port and so on but i suppose if the name list is possible, it won't be that hard to tack on extra optional conditions) and so a trojan running wget would trigger if wget was not in the list of approved programs.
*nod* Owner match extension does not have a way to know what process / user / group / command initiated the wget command. But owner match extension could be used to make sure that only Apache (or what ever web server you are running) will send packets out from port 80, etc. Grant. . . .
