Is it already known with certain confidence, whether any version of the backdoor automatically pulled in exploit code from remote on it's own? IOW, are people that had compromised versions, but whose sshd was either not running or behind a firewall guaranteed to be safe and not further compromised?

No evidence of it calling home so far