Black - Normal Sockets
Most sockets from applications started by the user will display as black. This means the owner process of the socket is a visible application - it has a window that is visible on-screen (although it may be minimised). It is possible but highly unlikely that trojan sockets will display as black.

Blue - System Sockets
Blue sockets indicate ownership by either the System process or by a registered service process (usually started by the operating system). It is possible for trojans to register themselves as service processes, but this is very rare.
See also Notes on Services

Red - Hidden Sockets
Red sockets indicate that the owning process is hidden (ie. it has no visible windows) and is not a service or system process. Although there are some legitimate applications that behave this way, many hidden sockets are owned by trojans, so red-socket processes are always worthy of further investigation. In fact, very few 

Red (Background) - Closing Sockets
Sockets with red backgrounds are sockets that have just closed. The red background remains for one 'refresh', allowing you to see sockets as they close rather then having them immediately disappear.
 
Notes:
It is not practically possible to determine if a process has an icon in the system tray as the system tray icon is handled by the explorer.exe process, not the process, so hidden processes that have a system tray icon will still show up as red.
 
Port Explorer maintains a tally of each socket class. These tallies (and combined total) can be seen in the status bar at the bottom left-hand corner of the main Port Explorer window.