That's not quite how TCP/IP works. I'd suggest you get hold of TCP/IP Illustrated or something similar but in the meantime...
1 - Source opens TCP connection to Proxy and sends request to Proxy.
2 - Proxy open TCP connection to Destination and sends request to Destination.
3 - Destination sends reply to Proxy over the pre-existing connection to Proxy
4 - Proxy sends reply from Distination to Source over pre-existing connection to Source.
Naturally thats not quite how it works either but hopefully it will give you some idea of what actually happens.
As for your phone home malware, that is the source in the above analogy so you can capture the destination address by sniffing the traffic.